Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Resource Locks for Azure Cache for Redis Servers

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your production or mission critical Azure Cache for Redis servers have resource locks enabled so that non-admin users are not able to delete or modify your cache servers in order to help prevent accidental and malicious changes or resource deletion.

Security

Azure resource locks enable you to restrict operations on production Azure Cache for Redis servers where modifying or deleting a resource would have a significant negative impact on the entire system. As an Azure account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

Audit

To determine if your production Azure Cache for Redis servers have resource locks configured, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Locks to access the resource locks configured for the selected resource.

07 On the Locks page, check for any resource locks configured for the selected cache server. If there are no resource locks listed on this page and the following message is displayed: This resource has no locks., the selected Azure Cache for Redis server does not use resource locks. If one or more resource locks are configured, check the Lock type column to identify the lock type (level) used for the resource. If your Redis cache server does not use the correct lock level, the resource locks configuration is not compliant.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Cache for Redis server available in the selected subscription: 

az redis list
	--query '[*].id'

05 The command output should return the requested cache server IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-webapp-cache-server"
]

06 Run lock list command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to examine as the identifier parameter and custom output filters to describe the name and the level of the resource lock set for the selected cache server: 

az lock list
	--resource  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--query '[*].{"name":name,"level":level}'

07 Based on the resource lock configuration, the command output should return one of the following:

  1. If the lock list command output returns an empty array (i.e., []), as shown in the example below, the selected Azure Cache for Redis server does not use resource locks: 
    []
  2. If the command output returns the name and the level of the resource lock but the lock level is not the required one, as shown in the example below where the "ReadOnly" lock is expected, the resource locks configuration for the selected Azure Cache for Redis server is not compliant: 
    [
	{
		"level": "CanNotDelete",
		"name": "cc-delete-lock"
	}
]

08 Repeat steps no. 6 and 7 for each Azure Cache for Redis server available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable resource locks for your production or mission critical Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to lock down.

06 In the resource navigation panel, under Settings, select Locks.

07 On the Locks page, perform the following actions:

  1. Choose the non-compliant resource lock that you want to remove and choose Delete to delete the lock.
  2. Choose + Add from the top menu and perform the following operations to create a new, compliant resource lock:
    1. Provide a name for the new resource lock in the Name box.
    2. Select the appropriate type (level) of lock restriction from the Lock type dropdown list. Use Read-only when you need authorized users to read the resource, without being able to update or delete the resource. Select Delete when you need authorized users to read and update the resource, without being able to delete the resource.
  3. For Notes, provide a short description of the implemented lock restriction.
  4. Click OK to create and apply the resource lock.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run lock delete command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to delete as the identifier parameter, to remove the specified resource lock from the selected cache server (the command does not produce an output): 

az lock delete
	--name cc-delete-lock
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"

05 Run lock create command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to lock down as the identifier parameter, to enable resource locks for the selected cache server. As an example, the following command request creates a "ReadOnly" resource lock. This lock level allows authorized users to read the resource, without being able to update or delete the resource: 

az lock create
	--name cc-read-only-lock
	--lock-type ReadOnly
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"

06 The command output should return the information available for the new resource lock: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache/providers/Microsoft.Authorization/locks/cc-read-only-lock",
	"level": "ReadOnly",
	"name": "cc-read-only-lock",
	"notes": null,
	"owners": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Authorization/locks"
}

07 Repeat steps no. 4 - 6 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 12, 2025

Related RedisCache rules