gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 05:33:10 -08:00
Code Issues Packages Projects Releases Wiki Activity

azure basics

Browse Source
This commit is contained in:
Carlos Polop
2025-02-08 19:23:41 +01:00
parent 117bb933af
commit fd5fc9957a
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -259,8 +259,10 @@ This roles can **also be assigned over logic containers** (such as management gr
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
- `actions` refer to permissions for management operations on resources, such as creating, updating, or deleting resource definitions and settings.
- `dataActions` are permissions for data operations within the resource, allowing you to read, write, or delete the actual data contained in the resource.
- `notActions` and `notDataActions` are used to exclude specific permissions from the role. However, **they don't deny them**, if a different role grants them, the principal will have them.
- `assignableScopes` is an array of scopes where the role can be assigned (like management groups, subscriptions, or resource groups).
Example of permissions JSON for a custom role:
@@ -297,7 +299,7 @@ Example of permissions JSON for a custom role:
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- An explicit **deny assignment takes precedence** over the role granting the permission.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
@@ -310,6 +312,12 @@ This elevation can be done at the end of the page: [https://portal.azure.com/#vi
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Deny Assignments
Just like role assignments, **deny assignments** are used to **control access to Azure resources**. However, **deny assignments** are used to **explicitly deny access** to a resource, even if a user has been granted access through a role assignment. **Deny assignments** take precedence over **role assignments**, meaning that if a user is granted access through a role assignment but is also explicitly denied access through a deny assignment, the deny assignment will take precedence.
Just like role assignments, **deny assignments** are applied over some scope indicating the affected principals and the permissions that are being denied. Moreover, in the case of deny assignments, it's possible to **prevent the deny to be inherited** by children resources.
### Azure Policies
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.