Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us

Azure Custom Roles

Custom Roles for Harvesting Azure Accounts and Resources with InsightCloudSec

Suggest Edits

InsightCloudSec offers a few custom roles for Azure accounts ("subscriptions") and organizations ("management groups") that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization, Commercial vs. GovCloud). For most scenarios within InsightCloudSec, using the Azure-created roles is appropriate. Note: New required permissions are announced in our release notes. The roles provided here include the following:

📘

Explicit and Key Vault Permissions

  • The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the Commercial and GovCloud Reader and Reader Plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles.
  • Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. Because the Azure Single Cloud and Organization setup instructions both recommend using the roles below, they do not include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which 
provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.

Azure Commercial Harvesting

  • Azure Custom Reader User Role -- This role will grant InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it
  • Azure Reader Plus Role -- This role will grant InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps
  • Azure Power User Role-- This role will grant InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them

Azure GovCloud Harvesting

🚧

Organization Support

Currently, InsightCloudSec does not offer Organization onboarding support for Azure GovCloud.

  • Azure GovCloud Custom Reader User Role -- This role will grant InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure GovCloud subscription so that it can harvest data and report on it
  • Azure GovCloudPower User Role-- This role will grant InsightCloudSec all permissions to supported resources within a given Azure GovCloud subscription so it can act upon cloud resources in addition to monitoring and reporting on them

Additional Harvesting Policies

  • Azure Organization Reader User Role -- This role will grant InsightCloudSec access to Azure management group information; see Organizations (Azure) for details

For any questions about the content provided here, feel free to reach out to us through the Customer Support Portal.

Azure Commercial Harvesting

For Azure commercial (non-GovCloud) accounts, there are three role options (excluding Azure's built-in roles):

Azure Custom Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Azure Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure GovCloud Harvesting

For Azure GovCloud accounts, there are two role options (excluding Azure's built-in roles):

Azure GovCloud Custom Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure GovCloud resources, then we recommend using the Azure GovCloud Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure GovCloud service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure GovCloud Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure GovCloud resources directly or through the use of Bots, then use the InsightCloudSec Azure GovCloud Power User role. The InsightCloudSec Azure GovCloud Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure GovCloud service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Additional Harvesting Policies

Azure Organization Reader Role

If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them.

🚧

Code Block Tabs

The role included in the code block below has two tabs: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role (as part of the Azure Setup - Organization instructions). The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.

"permissions": [
    {
        "actions": [
            "Microsoft.Management/managementGroups/descendants/read",
            "Microsoft.Management/managementGroups/read",
            "Microsoft.Management/managementGroups/settings/read",
            "Microsoft.Resources/subscriptions/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]

{
    "properties": {
        "roleName": "InsightCloudSec Organization Reader User Role (Management Group)",
        "description": "Provides access to read the structure for a given Management Group.",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/<my-management-group>"
        ],
        "permissions": [
            {
                "actions": [
                    "..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Updated about 1 month ago