Ensure that your production or mission critical Azure Cosmos DB accounts have resource locks enabled so that non-admin users are not able to delete or modify your database cluster in order to help prevent accidental and malicious changes or resource deletion.
Azure resource locks enable you to restrict operations on production Azure Cosmos DB accounts where modifying or deleting a resource would have a significant negative impact on the entire system. As an Azure account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:
- "CanNotDelete" – when authorized users can still read and modify a cloud resource, but they can't delete the resource.
- "ReadOnly" – when authorized users can read a cloud resource, but they can't delete or update the resource. Using this resource lock level is similar to restricting all authorized users to the permissions granted by the "Reader" role.
Audit
To determine if your production Azure Cosmos DB accounts have resource locks configured, perform the following operations:
Remediation / Resolution
To enable resource locks for your production or mission critical Azure Cosmos DB accounts, perform the following operations:
References
- Azure Official Documentation
- Lock your Azure resources to protect your infrastructure
- Protect Azure Cosmos DB resources with locks
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az cosmosdb list
- az lock list
- az lock create
- az lock delete