Table of Contents
Why Should You Grant RBAC Roles at the Resource Group, Not Subscription Scope?
For AZ-500 exam, master the principle of least privilege in Azure RBAC. Learn why assigning roles like Contributor at the resource group scope is crucial for security, and how granting permissions at the subscription level can create unnecessary risk.
Question
To provide full access to the resources in an Azure resource group, you should grant only the Contributor role for the subscription.
A. FALSE
B. TRUE
Answer
A. FALSE
Explanation
The correct answer is A. FALSE. To provide full access to a single resource group, you should grant the Contributor role at the scope of that specific resource group, not the entire subscription, in adherence with the principle of least privilege.
There is no need to grant permissions at the subscription level. Respect the rule of least privilege.
The Principle of Least Privilege in Azure
The principle of least privilege is a foundational security concept stating that a user or service should only be granted the minimum permissions necessary to perform their required tasks. Applying this principle in Azure RBAC minimizes the potential damage from accidental misconfigurations or compromised credentials.
Understanding RBAC Scope and Inheritance
Azure RBAC uses a hierarchical scope model where permissions are inherited from parent scopes to child scopes. The hierarchy is as follows: Management Group > Subscription > Resource Group > Resource.
- The Flaw in the Proposed Solution: Granting the Contributor role at the subscription level gives that user full management rights over every single resource group and resource within that subscription. This is far more access than required if the goal is to manage only one specific resource group.
- Inheritance Risk: Because permissions flow down, the user would automatically have Contributor rights on all existing and any future resource groups created in that subscription, creating an unnecessarily large attack surface.
The Correct Approach
To correctly implement the principle of least privilege in this scenario, you must assign the role at the narrowest possible scope.
- Role: The Contributor role is appropriate because it grants permissions to manage all resources.
- Scope: The correct scope is the specific resource group that the user needs to manage.
By assigning the Contributor role directly to the resource group, you grant the user the exact permissions they need, but only on the resources they are responsible for. They will have no access or visibility into other resource groups within the same subscription, thus respecting the principle of least privilege and enhancing the overall security posture of your Azure environment.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.