rules/findings/Azure/Subscription/CIS3.0/azure-subscription-permit-no-one-disabled.json
|
{
"args": [ ], "provider": "Azure", "serviceType": "Subscription Security", "serviceName": "Subscription", "displayName": "Ensure That \u0027Subscription leaving Microsoft Entra tenant\u0027 and \u0027Subscription entering Microsoft Entra tenant\u0027 Is Set To \u0027Permit no one\u0027", "description": "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.", "rationale": "Permissions to move subscriptions in and out of Microsoft Entra ID must only be given to appropriate administrative personnel. A subscription that is moved into an Microsoft Entra ID may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.", "impact": "Subscriptions will need to have these settings turned off to be moved.", "remediation": { "text": "###### From Azure Console\r\n\t\t\t\t\t1. From the Azure Portal Home select the portal menu in the top left.\r\n\t\t\t\t\t2. In the column that opens up select `General` and then `Subscriptions` within the page that opens up.\r\n\t\t\t\t\t3. Select `Manage policies`\r\n\t\t\t\t\t4. In the screen that next to `Subscription leaving AAD directory` and `Subscription entering AAD` select `Permit no-one`", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy", "https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory", "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy", "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-protect-identity-and-authentication-systems" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.25", "profile": "Level 2" } ], "level": "medium", "tags": [ "CIS Microsoft Azure Foundations" ], "rule": { "path": "az_subscription_policies", "subPath": null, "selectCondition": { }, "query": [ { "operator": "and", "filter": [ { "conditions": [ [ "name", "eq", "default" ] ] }, { "conditions": [ [ "properties.blockSubscriptionsLeavingTenant", "eq", "False" ], [ "properties.blockSubscriptionsIntoTenant", "eq", "False" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "azure_subscription_permit_to_one_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "azure_206" } |