How to create an Azure JIT user RBAC role

When you speak about security on a public cloud environment every single action that can reuce the surface attack should be taken.

Microsoft Azure provide a very good tool that can enable any port on any VM for a single time and a specific IP, it’s called Just In Time access (JIT) and avaible in the Azure Security Center. I suggest you to read this post.

For one of our client, we wanted to allow engineers to be able to request an access themselves instead of opening tickets to support and break the cloud promise to bring services fast as light! Sadly, no singe RBAC roles where present to fulfill this request. Your servitor found the correct actions needed to achieve this goal and you’ll find the Powershell script bellow to help you

FIrst of all, let’s deep dive in how i figured out which rights are need for JIT and the provider associated

To get the provider I used this command first

Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

 

That  give me the following result

 

Now it’s easy to figure out what provider is needed as we are talking about security….

Let’s have a look about operations available in this provider

Get-AzureRMProviderOperation microsoft.Security/*

 

In the huge list, you’ll find 3 operations related to JIT

As i don’t want my users to create new JIT items and/or actions I’ll use only:

  • Microsoft.Security/locations/jitNetworkAccessPolicies/read : in order to see the VM listed in Azure Security Center
  • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action : in order to initiate the access request

So now, we have everything we need to create our custom RBAC role using the following PowerShell snippet

 

Login-AzureRMAccount
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Just In Time access User"
$role.Description = "Users that can enable access to Virtual Machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/read")
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/<sucription_guid>")
New-AzureRmRoleDefinition -Role $role

 

Now, you have your new role and can assign users on it that they can request access as they need to work without waiting for support to enable access đŸ™‚

EDIT

Charbel Nemnom has just published a wonderful script to request a VM access. His script with this role is the perfect combo to grant secure VM access to your users.