chore(azure): enhance metadata for iam service (#9620)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

prowler/CHANGELOG.md

@@ -16,6 +16,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Azure Container Registry service metadata to new format [(#9615)](https://github.com/prowler-cloud/prowler/pull/9615)
 - Update Azure Cosmos DB service metadata to new format [(#9616)](https://github.com/prowler-cloud/prowler/pull/9616)
 - Update Azure Databricks service metadata to new format [(#9617)](https://github.com/prowler-cloud/prowler/pull/9617)
+- Update Azure IAM service metadata to new format [(#9620)](https://github.com/prowler-cloud/prowler/pull/9620)
 
 ---
 

prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "iam_custom_role_has_permissions_to_administer_resource_locks",
-  "CheckTitle": "Ensure an IAM custom role has permissions to administer resource locks",
+  "CheckTitle": "Custom role has permission to administer resource locks",
   "CheckType": [],
   "ServiceName": "iam",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
+  "Severity": "medium",
-  "ResourceType": "AzureRole",
+  "ResourceType": "microsoft.authorization/roledefinitions",
   "ResourceGroup": "IAM",
-  "Description": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks",
+  "Description": "**Azure custom RBAC roles** include the `Microsoft.Authorization/locks/*` action, indicating permission to administer **management locks** at subscription, resource group, or resource scope.",
-  "Risk": "In Azure, resource locks are a way to prevent accidental deletion or modification of critical resources. These locks can be set at the resource group level or the individual resource level. Resource locks administration is a critical task that should be preformed from a custom role with the appropriate permissions. This ensures that only authorized users can administer resource locks.",
+  "Risk": "Absent a scoped custom role for `Microsoft.Authorization/locks/*`, lock control falls to broad roles (e.g., Owner), weakening **least privilege**. Locks can be disabled or altered, enabling unauthorized changes or deletion, harming **integrity** and **availability**, and reducing **separation of duties** and accountability.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/resource-lock-custom-role.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "az role definition create --role-definition '{\"Name\":\"<role_name>\",\"Description\":\"Custom role to administer resource locks\",\"IsCustom\":true,\"Actions\":[\"Microsoft.Authorization/locks/*\"],\"NotActions\":[],\"AssignableScopes\":[\"/subscriptions/<subscription_id>\"]}'",
-      "NativeIaC": "",
+      "NativeIaC": "```bicep\n// Custom role that can administer resource locks\ntargetScope = 'subscription'\n\nresource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {\n  name: guid(subscription().id, '<role_name>') // CRITICAL: use GUID for role definition name\n  properties: {\n    roleName: '<role_name>'\n    description: 'Custom role to administer resource locks'\n    permissions: [\n      {\n        actions: [\n          'Microsoft.Authorization/locks/*' // CRITICAL: grants lock administration to pass the check\n        ]\n        notActions: []\n      }\n    ]\n    assignableScopes: [ subscription().id ]\n  }\n}\n```",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/resource-lock-custom-role.html",
+      "Other": "1. In the Azure portal, go to the target scope (Subscription or Resource group) and open Access control (IAM)\n2. Click Roles, find your custom role, and select Edit\n3. Go to Permissions > Add permissions\n4. Search for \"Microsoft.Authorization/locks\" and select Microsoft.Authorization/locks/*\n5. Click Add, then Review + save > Save",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Custom role with permission to administer resource locks\nresource \"azurerm_role_definition\" \"<example_resource_name>\" {\n  name  = \"<example_resource_name>\"\n  scope = \"/subscriptions/<example_resource_id>\"\n\n  permissions {\n    actions = [\n      \"Microsoft.Authorization/locks/*\" # CRITICAL: adds lock admin permission to pass the check\n    ]\n  }\n\n  assignable_scopes = [\"/subscriptions/<example_resource_id>\"]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Resouce locks are needed to prevent accidental deletion or modification of critical Azure resources. The administration of resource locks should be performed from a custom role with the appropriate permissions.",
+      "Text": "Define a **least-privilege custom role** restricted to `Microsoft.Authorization/locks/*` and assign it to a tightly controlled group at minimal scope. Apply **separation of duties**, use just-in-time elevation, audit lock changes, and avoid broad roles or pipeline identities managing locks. Layer with **defense-in-depth** controls.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/resource-lock-custom-role.html"
+      "Url": "https://hub.prowler.com/check/iam_custom_role_has_permissions_to_administer_resource_locks"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "iam_role_user_access_admin_restricted",
-  "CheckTitle": "Ensure 'User Access Administrator' role is restricted",
+  "CheckTitle": "Role assignment does not grant the User Access Administrator role",
   "CheckType": [],
   "ServiceName": "iam",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureIAMRoleassignment",
+  "ResourceType": "microsoft.authorization/roleassignments",
   "ResourceGroup": "IAM",
-  "Description": "Checks for active assignments of the highly privileged 'User Access Administrator' role in Azure subscriptions.",
+  "Description": "**Azure subscription role assignments** granting **User Access Administrator** are identified to surface principals able to manage access (`Azure RBAC`) at that scope.",
-  "Risk": "Persistent assignment of this role can lead to privilege escalation and unauthorized access, increasing the risk of security breaches.",
+  "Risk": "Persistent `User Access Administrator` enables assigning high-privilege roles and reading control-plane data, enabling privilege escalation and unauthorized access. Impact: **confidentiality** (data exposure), **integrity** (unauthorized changes), **availability** (service disruption).",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs",
+    "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az role assignment delete --role 'User Access Administrator' --scope '/subscriptions/<subscription_id>'",
+      "CLI": "az role assignment delete --assignee <principal_id_or_upn> --role \"User Access Administrator\" --scope \"/subscriptions/<subscription_id>\"",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the Azure portal, go to Subscriptions and select <subscription>.\n2. Open Access control (IAM) > Role assignments.\n3. Filter by Role = User Access Administrator.\n4. Select the assignment(s) and click Remove. Confirm.",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Remove 'User Access Administrator' role assignments immediately after use to minimize security risks.",
+      "Text": "Enforce **least privilege**:\n- Avoid standing `User Access Administrator`; use time-bound, approval-based elevation (PIM)\n- Scope access to only required subscriptions/resource groups\n- Require MFA and monitor role activity\n- Review regularly and remove unused grants",
-      "Url": "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs"
+      "Url": "https://hub.prowler.com/check/iam_role_user_access_admin_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "iam_subscription_roles_owner_custom_not_created",
-  "CheckTitle": "Ensure that no custom subscription owner roles are created",
+  "CheckTitle": "Custom role is not a subscription owner role",
   "CheckType": [],
   "ServiceName": "iam",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureRole",
+  "ResourceType": "microsoft.authorization/roledefinitions",
   "ResourceGroup": "IAM",
-  "Description": "Ensure that no custom subscription owner roles are created",
+  "Description": "**Azure custom roles** are analyzed for wildcard permissions. Roles that allow `*` in `actions` within their assignable scopes are treated as **owner-equivalent**, granting unrestricted control over subscription resources.",
-  "Risk": "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
+  "Risk": "Wildcard access grants full administrative control at subscription scope. If abused or compromised, an actor can exfiltrate data, alter configurations, deploy malware, delete resources, and disable logging, impacting confidentiality, integrity, and availability across the subscription.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/remove-custom-owner-roles.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "az role definition update --role-definition '{\"Name\":\"<example_role_name>\",\"Description\":\"Restricted custom role\",\"Actions\":[\"Microsoft.Resources/subscriptions/resourceGroups/read\"],\"NotActions\":[],\"DataActions\":[],\"NotDataActions\":[],\"AssignableScopes\":[\"/subscriptions/<example_subscription_id>\"]}'",
-      "NativeIaC": "",
+      "NativeIaC": "```bicep\n// Subscription-scoped deployment to ensure the custom role does not use global \"*\" permissions\ntargetScope = 'subscription'\n\nresource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {\n  name: guid(subscription().id, '<role_name>') // CRITICAL: use GUID for role definition name\n  properties: {\n    roleName: '<role_name>'\n    description: 'Restricted custom role'\n    assignableScopes: [\n      subscription().id\n    ]\n    permissions: [\n      {\n        actions: [\n          'Microsoft.Resources/subscriptions/resourceGroups/read' // CRITICAL: remove \"*\" and allow only specific actions to avoid owner-equivalent wildcard\n        ]\n        notActions: []\n        dataActions: []\n        notDataActions: []\n      }\n    ]\n  }\n}\n```",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/remove-custom-owner-roles.html",
+      "Other": "1. In the Azure portal, go to Subscriptions > <your subscription> > Access control (IAM)\n2. Select the Roles tab, then open the Custom roles tab\n3. Click the custom role that is failing, then click Edit\n4. In Permissions, remove the action \"*\" (All permissions)\n5. Add only the specific actions required (avoid using \"*\")\n6. Click Save",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Define a custom role without using the global \"*\" action\nresource \"azurerm_role_definition\" \"<example_resource_name>\" {\n  name  = \"<example_resource_name>\"\n  scope = \"/subscriptions/<example_subscription_id>\"\n\n  permissions {\n    actions = [\"Microsoft.Resources/subscriptions/resourceGroups/read\"] # CRITICAL: do not use \"*\"; specify only required actions\n  }\n\n  assignable_scopes = [\"/subscriptions/<example_subscription_id>\"]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Custom subscription owner roles should not be created. This is because the principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access",
+      "Text": "Avoid owner-equivalent custom roles. Apply **least privilege**: prefer built-in roles, define explicit allowed `actions` (avoid `*`), and limit assignment scope to the minimum needed. Enforce **separation of duties**, require just-in-time elevation, and perform periodic access reviews to prevent privilege creep.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/remove-custom-owner-roles.html"
+      "Url": "https://hub.prowler.com/check/iam_subscription_roles_owner_custom_not_created"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""