Control: 1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Description
Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.
Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Remediation
From Azure Portal
- In the Azure portal, open a subscription or resource group where you want the custom role to be assigned.
- Select
Access control (IAM).
- Click
Add
. - Select
Add custom role
. - In the
Custom Role Name
field enterResource Lock Administrator
. - In the Description field enter
Can Administer Resource Locks
. - For Baseline permissions select
Start from scratch
- Select
next
. - In the Permissions tab select
Add permissions
. - In the Search for a permission box, type in
Microsoft.Authorization/locks
to search for permissions. - Select the check box next to the permission
Microsoft.Authorization/locks
. - Select
Add
. - Select
Review + create
. - Select
Create
. - Assign the newly created role to the appropriate user.
From PowerShell:
Below is a power shell definition for a resource lock administrator role created at an Azure Management group level
Import-Module Az.AccountsConnect-AzAccount
$role = Get-AzRoleDefinition "User Access Administrator" $role.Id = $null$role.Name = "Resource Lock Administrator" $role.Description = "Can Administer Resource Locks" $role.Actions.Clear() $role.Actions.Add("Microsoft.Authorization/locks/*") $role.AssignableScopes.Clear()
* Scope at the Management group level Management group
$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/ MG-Name")
New-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition "Resource Lock Administrator"
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_1_23
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_1_23 --share
SQL
This control uses a named query:
ad_manual_control