Azure managed identity has admin level privileges at the subscription scope

Documentos > Datadog Security > OOTB Rules > Azure managed identity has admin level privileges at the subscription scope

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

This rule identifies when an Azure Managed Identity has administrative-level permissions at the subscription scope.

Rationale

Administrative Azure role assignments at the subscription scope grant extensive privileges that can affect all resources within the subscription. This broad access increases the risk of accidental or malicious changes.

Remediation

Datadog recommends reducing the permissions and scope of a role assignment to the minimum necessary. Where possible, assign roles at the resource-group or individual-resource level and use built-in roles with limited privileges tailored to operational requirements.