Custom role is not a subscription owner role
iam_subscription_roles_owner_custom_not_created
Azure custom roles are analyzed for wildcard permissions. Roles that allow * in actions within their assignable scopes are treated as owner-equivalent, granting unrestricted control over subscription resources.
Risk
Wildcard access grants full administrative control at subscription scope. If abused or compromised, an actor can exfiltrate data, alter configurations, deploy malware, delete resources, and disable logging, impacting confidentiality, integrity, and availability across the subscription.
prowler azure --checks iam_subscription_roles_owner_custom_not_created
Recommendation
Avoid owner-equivalent custom roles. Apply least privilege: prefer built-in roles, define explicit allowed actions (avoid *), and limit assignment scope to the minimum needed. Enforce separation of duties, require just-in-time elevation, and perform periodic access reviews to prevent privilege creep.
Remediation
az role definition update --role-definition '{"Name":"<example_role_name>","Description":"Restricted custom role","Actions":["Microsoft.Resources/subscriptions/resourceGroups/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/<example_subscription_id>"]}'
- In the Azure portal, go to Subscriptions > <your subscription> > Access control (IAM)
- Select the Roles tab, then open the Custom roles tab
- Click the custom role that is failing, then click Edit
- In Permissions, remove the action "*" (All permissions)
- Add only the specific actions required (avoid using "*")
- Click Save
Source Code
Resource Type
microsoft.authorization/roledefinitions