docs(azure): Review actual roles necessary to execute Prowler (#4501)

prowler-cloud · Jul 23, 2024 · 489830f · 489830f
1 parent bd56ca2
commit 489830f
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 11 deletions.
diff --git a/docs/getting-started/requirements.md b/docs/getting-started/requirements.md
@@ -71,12 +71,18 @@ To use each one you need to pass the proper flag to the execution. Prowler for A
     - `Policy.Read.All`
     - `UserAuthenticationMethod.Read.All`
 - **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool. It is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
-    - `Security Reader`
     - `Reader`
     - `ProwlerRole` (custom role defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json))
 
 To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.
 
+#### Checks that require ProwlerRole
+
+The following checks require the `ProwlerRole` custom role to be executed, if you want to run them, make sure you have assigned the role to the identity that is going to be assumed by Prowler:
+
+- `app_function_access_keys_configured`
+- `app_function_ftps_deployment_disabled`
+
 ## Google Cloud
 
 ### Authentication

diff --git a/docs/img/add-reader-role.gif b/docs/img/add-reader-role.gif
diff --git a/docs/img/page-IAM.png b/docs/img/page-IAM.png
diff --git a/docs/tutorials/azure/subscriptions.md b/docs/tutorials/azure/subscriptions.md
@@ -11,25 +11,21 @@ Where you can pass from 1 up to N subscriptions to be scanned.
 
 ## Assigning proper permissions
 
-Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
-
-- `Security Reader`
-- `Reader`
+Regarding the subscription scope, Prowler by default scans all subscriptions that it is able to list, so it is necessary to add the `Reader` RBAC built-in roles per subscription or management group (recommended for multiple subscriptions, see it in the [next section](#recommendation-for-multiple-subscriptions)) to the entity that will be adopted by the tool:
 
 To assign this roles, follow the instructions:
 
 1. Access your subscription, then select your subscription.
 2. Select "Access control (IAM)".
 3. In the overview, select "Roles".
-  ![IAM Page](../../img/page-IAM.png)
 4. Click on "+ Add" and select "Add role assignment".
-5. In the search bar, type `Security Reader`, select it and click on "Next".
+5. In the search bar, type `Reader`, select it and click on "Next".
 6. In the Members tab, click on "+ Select members" and add the members you want to assign this role.
 7. Click on "Review + assign" to apply the new role.
 
-*Repeat these steps for `Reader` role*
+![Add reader role to subscription](../../img/add-reader-role.gif)
 
-Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Please be sure to change the `assignableScopes` field for your subscriptions or management group. Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.
+Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.
 
 ## Recommendation for multiple subscriptions
 

diff --git a/permissions/prowler-azure-custom-role.json b/permissions/prowler-azure-custom-role.json
@@ -1,9 +1,9 @@
 {
   "properties": {
     "roleName": "ProwlerRole",
-    "description": "",
+    "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
     "assignableScopes": [
-      "/providers/Microsoft.Management/managementGroups/<name_management_group> or /subscriptions/<subscription_id>"
+      "/"
     ],
     "permissions": [
       {