Azure managed identity has admin level privileges at the subscription scope
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
This rule identifies when an Azure Managed Identity has administrative-level permissions at the subscription scope.
Rationale
Administrative Azure role assignments at the subscription scope grant extensive privileges that can affect all resources within the subscription. This broad access increases the risk of accidental or malicious changes.
Datadog recommends reducing the permissions and scope of a role assignment to the minimum necessary. Where possible, assign roles at the resource-group or individual-resource level and use built-in roles with limited privileges tailored to operational requirements.
