Risk Details
Overly Permissive IAM Role for Inference Service
The IAM role attached to a containerized inference service has administrator-level permissions (AdministratorAccess).
Medium Severity
Open
Azure
Affected Resources
- /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/inference-admin-role
Apply Principle of Least Privilege
- Analyze the actual permissions the inference service needs to operate (e.g., read from a specific model repository, write logs).
- Create a new, tightly-scoped IAM policy with only the required permissions.
- Attach the new policy to the service's IAM role.
- Detach the 'AdministratorAccess' policy.