Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Resource Locks for Azure Cosmos DB Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your production or mission critical Azure Cosmos DB accounts have resource locks enabled so that non-admin users are not able to delete or modify your database cluster in order to help prevent accidental and malicious changes or resource deletion.

Security

Azure resource locks enable you to restrict operations on production Azure Cosmos DB accounts where modifying or deleting a resource would have a significant negative impact on the entire system. As an Azure account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

Audit

To determine if your production Azure Cosmos DB accounts have resource locks configured, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Locks to access the resource locks configured for the selected Cosmos DB account.

07 On the Locks page, check for any resource locks configured for the selected database cluster. If there are no resource locks listed on this page and the following message is displayed: This resource has no locks., the selected Azure Cosmos DB account does not use resource locks. If one or more resource locks are configured, check the Lock type column to identify the lock type (level) used for the resource. If your Cosmos DB account does not use the correct lock level, the resource locks configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription: 

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run lock list command (Windows/macOS/Linux) with the ID of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to describe the name and the level of the resource lock set for the selected database cluster: 

az lock list
	--resource  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query '[*].{"name":name,"level":level}'

07 Based on the resource lock configuration, the command output should return one of the following:

  1. If the lock list command output returns an empty array (i.e., []), as shown in the example below, the selected Azure Cosmos DB account does not use resource locks: 
    []
  2. If the lock list command output returns an empty array (i.e., []), as shown in the example below, the selected Azure Cosmos DB account does not use resource locks: 
    [
	{
		"level": "CanNotDelete",
		"name": "cc-delete-lock"
	}
]

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable resource locks for your production or mission critical Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to lock down.

06 In the resource navigation panel, under Settings, select Locks.

07 On the Locks page, perform the following actions:

  1. Choose the non-compliant resource lock that you want to remove and choose Delete to delete the lock.
  2. Choose Add from the top menu and perform the following operations to create a new, compliant resource lock:
    1. Provide a name for the new resource lock in the Lock name box.
    2. Select the appropriate type (level) of lock restriction from the Lock type dropdown list. Use Read-only when you need authorized users to read the resource, without being able to update or delete the resource. Select Delete when you need authorized users to read and update the resource, without being able to delete the resource.
  3. For Notes, provide a short description of the implemented lock restriction.
  4. Click OK to create and apply the resource lock.

08 Repeat steps no. 5 - 7 for each Azure Cosmos DB account that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run lock delete command (Windows/macOS/Linux) with the ID of the Azure Cosmos DB account that you want to delete as the identifier parameter, to remove the specified resource lock from the selected database cluster (the command does not produce an output): 

az lock delete
	--name cc-delete-lock
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"

05 Run lock create command (Windows/macOS/Linux) with the ID of the Azure Cosmos DB account that you want to lock down as the identifier parameter, to enable resource locks for the selected database cluster. As an example, the following command request creates a "ReadOnly" resource lock. This lock level allows authorized users to read the resource, without being able to update or delete the resource: 

az lock create
	--name cc-read-only-lock
	--lock-type ReadOnly
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"

06 The command output should return the information available for the new resource lock: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database1/providers/Microsoft.Authorization/locks/cc-read-only-lock",
	"level": "ReadOnly",
	"name": "cc-read-only-lock",
	"notes": null,
	"owners": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Authorization/locks"
}

07 Repeat steps no. 4 - 6 for each Azure Cosmos DB account that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 28, 2025

Related CosmosDB rules