Pentest Documentation

Appearance

πŸͺ΅ Azure Resource Manager ​

Azure Resource Manager (ARM) is the native platform for infrastructure as code (IaC) in Azure. It enables centralized management, deployment, and security of Azure resources, and provides a unified framework for managing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) resources. ARM also manages access control through Role-Based Access Control (RBAC).

πŸ‘” Azure Resource Manager Resource Hierarchy ​

Azure resources are organized in a hierarchical structure to facilitate efficient management and access control :

  • Management Group Level: The top-level container for organizing subscriptions.
  • Subscription: A billing entity that contains one or more resource groups.
  • Resource Group: A container that holds related resources for an Azure solution.
  • Individual Resource: Specific Azure services or applications, such as VMs, databases, or storage accounts.

πŸ–‹οΈ Role-Based Access Control (RBAC) ​

Azure RBAC is an authorization system built on ARM that provides fine-grained access management of Azure resources. RBAC allows you to specify who can do what at different scopes.

RBAC Components ​

Role Assignment

A role assignment binds a role definition to a security principal at a specific scope. It consists of :

  • Security Principal: An object that represents a user, group, service principal, or managed identity requesting access to Azure resources.
  • Scope: The set of resources that the access applies to. Scopes can be at the management group level, subscription, resource group, or individual resource.
  • Role Definition: A collection of permissions. It defines what actions can be performed on what resources.

Security Principal

A security principal is an entity requesting access to Azure resources. It can be one of the following :

  • User Identity: An individual user account.
  • Groups: A set of users.
  • Service Principal: An identity for an application or service.
  • Managed Identity: An automatically managed identity for Azure services.

Scope

Scope defines the set of resources that the access applies to. You can assign a role to a security principal at the following levels :

  • Management Group Level: Scope that includes multiple subscriptions.
  • Subscription: Scope that includes all resources within a subscription.
  • Resource Group: Scope that includes all resources within a resource group.
  • Individual Resource: Scope that includes a specific resource.

Role Assignments

A role assignment attaches a role definition to a security principal at a specific scope. Access is granted by creating a role assignment and revoked by removing it.

Role Assignment Hierarchy ​

RBAC allows you to assign roles at different levels of the resource hierarchy. The assignment at a higher level (e.g., subscription) is inherited by the lower levels (e.g., resource group and individual resource).

πŸ“ˆ Azure Resource Manager API ​

The Azure Resource Manager API allows you to programmatically interact with your Azure resources. The API endpoint follows this structure :

bash
{HTTP method} https://management.azure.com/{version}/{resource}?{query-parameters}