Ensure that all your mission critical Azure cloud resources have resource locks enabled so that certain users are not be able to delete or modify these resources in order to help prevent accidental and malicious changes or deletion.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Azure resource locks enable you to restrict operations on production Azure cloud resources where modifying or deleting a resource would have a significant negative impact. As an Azure account administrator, it may be necessary to lock an important resource, a resource group, or even a subscription, in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:
"CanNotDelete" – when authorized users can still read and modify a cloud resource, but they cant delete the resource.
"ReadOnly" – when authorized users can read a cloud resource, but they cant delete or update the resource. Using this resource lock level is similar to restricting all authorized users to the permissions granted by the "Reader" role.
Note: Resource locks can be applied to an Azure cloud resource, a resource group, or even to an Azure subscription. This conformity rule demonstrates how to determine (audit) and implement (remediation) resource locks at the individual resource level using a Microsoft Azure Key Vault as an example.
Audit
To determine if your mission critical resources have resource locks configured, perform the following actions:
Remediation / Resolution
To enable resource locks for your mission critical Azure cloud resources (in this case Key Vault instances), perform the following actions:
References
- Azure Official Documentation
- Azure enterprise scaffold is now the Microsoft Cloud Adoption Framework for Azure
- Lock resources to prevent unexpected changes
- Azure Key Vault basic concepts
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az lock
- az lock list
- az lock create
- az keyvault key
- az keyvault list