Control: 1.22 Ensure Custom Role is assigned for Administering Resource Locks
Description
Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.
Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Remediation
From Console
- In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
- Select
Access control (IAM)
from side bar - Click
Add
from top bar - Select Add custom role
- In the Custom Role Name field enter
Resource Lock Administrator
- In the Description field enter Can
Administer Resource Lock
s - For Baseline permissions select Start from scratch
- Click
next
- In the Permissions tab select Add permissions
- in the Search for a permission box, type in
Microsoft.Authorization/locks
to search for permissions. - Select the check box next to the permission called
Microsoft.Authorization/locks
- click add
- Click Review+create
- Click Create
- Assign the newly created role to the appropriate user.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_1_22
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_1_22 --share
SQL
This control uses a named query:
ad_manual_control