Granting minimal level of access for Azure Security Scans with AZSK
In order to carry out Azure Security Assessment with AZSK (Secure DevOps Kit for Azure) tool following Azure AD and IAM roles should be created.
- Global Reader and Security Reader in Azure AD
- Reader IAM RBAC Role in subscription scope
Below is the detailed instruction for creating above mentioned two accounts
Instruction to Create Account for AZSK Scans
1. Creating Account for Azure AD
- Navigate to Azure Active Directory >>> Users
- Create new or give permission to and existing account for Azure AD
- Select created/existing user and add assignment
- Assign Global Reader and Security Reader Roles
2. Granting Reader IAM role for subscriptions
- Select desired subscription
- Navigate to Access Control (IAM) Menu
- Select Add Role Assignment
- Select Reader role and Seletc desired user and press Save