Ensure there is a custom IAM role assigned to manage resource locking within each Microsoft Azure subscription. Azure resource locking is a powerful protection mechanism that can prevent inadvertent modification or deletion of resources running within a Azure cloud account. The Azure resource locking is also a recommended NIST configuration. The permissions required to enable the IAM role to manage cloud resource locking are Microsoft.Authorization/locks/read (gets resource locks at the specified scope), Microsoft.Authorization/locks/write (adds locks at the specified scope), and Microsoft.Authorization/locks/delete (deletes locks at the specified scope).
Azure resource locks enable you to restrict operations on production Azure cloud resources where modifying or deleting a resource would have a significant negative impact. As an administrator, it may be necessary to lock important resources in order to prevent other users within your organization from mistakenly deleting or modifying them. Because the Azure resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be reasonable to create a resource lock administrator role to prevent inadvertent unlocking of cloud resources. By creating and assigning a resource locking administrator role, you can have the appropriate permissions required for managing just resource locks rather than needing to provide the wide Owner or Contributor role, implementing the Principle of Least Privilege (POLP) and thus preventing any accidental or intentional damage to your Azure cloud resources.
To determine if there is a custom role assigned to manage resource locking within each Azure subscription, perform the following actions:
Remediation / Resolution
To create a custom role responsible for managing resource locks in your Microsoft Azure cloud subscription, perform the following actions:
- Azure Official Documentation
- Azure custom roles
- Quickstart: Check access for a user to Azure resources
- PA-1: Protect and limit highly privileged users
- PA-2: Restrict administrative access to business-critical systems
- PA-7: Follow just enough administration (least privilege principle)
- PA-5: Automate entitlement management
- GS-2: Define enterprise segmentation strategy
- GS-6: Define identity and privileged access strategy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Resource Locking Administrator Role
Risk level: Medium