← all rules

iac/iam/iam-azure-rbac-owner

Azure RBAC Owner role assigned

highCloud IAMiac-iam

What it detects

The Azure built-in `Owner` role grants full access to all resources in the scope, including the right to delegate access to others. At subscription or resource-group scope this is the cloud-permissions equivalent of administrator — a compromise of the identity is a compromise of everything in scope.

Remediation

Assign the least-privilege built-in role the identity needs (e.g. `Reader`, a service-specific Contributor) instead of `Owner`, and narrow the assignable scope.

How it runs

Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.