Control: 6.24 Ensure that a custom role is assigned permissions for administering resource locks
Description
Resource locking is a powerful protection mechanism that can prevent inadvertent modification or deletion of resources within Azure subscriptions and resource groups, and it is a recommended NIST configuration.
Given that the resource lock functionality is outside of standard Role-Based Access Control (RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Remediation
From Azure Portal
- In the Azure portal, navigate to a subscription or resource group.
- Click
Access control (IAM)
. - Click
+ Add
. - Click
Add custom role
. - In the
Custom role name
field enterResource Lock Administrator
. - In the
Description
field enterCan Administer Resource Locks
. - For
Baseline permissions
selectStart from scratch
. - Click
Next
. - Click
Add permissions
. - In the
Search for a permission
box, typeMicrosoft.Authorization/locks
. - Click the result.
- Check the box next to
Permission
. - Click
Add
. - Click
Review + create
. - Click
Create
. - Click
OK
. - Click
+ Add
. - Click
Add role assignment
. - In the
Search by role name, description, permission, or ID
box, typeResource Lock Administrator
. - Select the role.
- Click
Next
. - Click
+ Select members
. - Select appropriate members.
- Click
Select
. - Click
Review + assign
. - Click
Review + assign
again. - Repeat steps 1-26 for each subscription or resource group requiring remediation.
From PowerShell
Below is a PowerShell definition for a resource lock administrator role created at an Azure Management group level
Import-Module Az.AccountsConnect-AzAccount
$role = Get-AzRoleDefinition "User Access Administrator"$role.Id = $null$role.Name = "Resource Lock Administrator"$role.Description = "Can Administer Resource Locks"$role.Actions.Clear()$role.Actions.Add("Microsoft.Authorization/locks/*")$role.AssignableScopes.Clear()
* Scope at the Management group level Management group
$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/MG-Name")
New-AzRoleDefinition -Role $roleGet-AzureRmRoleDefinition "Resource Lock Administrator"
Default Value
A role for administering resource locks does not exist by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_6_24
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_6_24 --share
SQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;