Free Assessment

Azure_keyVault_3

Ensure that Resource Locks are set for mission critical Azure resources

Description

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when there is have an important resource in a subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.

Remediation

Perform the following in the Azure Console:

  1. Navigate to the specific Azure Resource or Resource Group
  2. For each of the mission critical resource, click on Locks
  3. Click Add
  4. Give the lock a name and a description, then select the type, CanNotDelete or ReadOnly as appropriate

Perform the following in Azure Command Line Interface 2.0:

To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create –name <LockName> –lock-type <CanNotDelete/Read-only> –resource-group <resourceGroupName> –resource-name <resourceName> –resource-type <resourceType>

References:

  1. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
  2. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks

Service

Other Security Considerations

Severity

High

Compliance

Mapping

Want to Know More?

Learn how our partners are managing their cloud security and compliance with Cloudlytics.

I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.

Cloudlytics

Solutions

Resources

Company

Legal

Facebook Twitter Linkedin Youtube
Start Free Trial
Login

CLOSE

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!

Learn More