Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 9.3.10 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts

Description

Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete-type of resource manager lock.

This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations include listKeys which prevents clients from obtaining the account shared access keys.

Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers.

This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for Microsoft.Storage resources.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining storage accounts that require ReadOnly locks depends on the context and requirements of each organization and environment.

Remediation

Remediate from Azure Portal

  1. Navigate to the storage account in the Azure portal.
  2. Under the Settings section, select Locks.
  3. Select Add.
  4. Provide a Name, and choose ReadOnly for the type of lock.
  5. Add a note about the lock if desired.

Remediate from Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \
 --resource-group <resource-group> \
 --resource <storage-account> \
 --lock-type ReadOnly \
 --resource-type Microsoft.Storage/storageAccounts

Remediate from PowerShell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel ReadOnly `
 -LockName <lock> `
-ResourceName <storage-account> `
 -ResourceType Microsoft.Storage/storageAccounts `
-ResourceGroupName <resource-group>

Default Value

By default, no locks are applied to Azure resources, including storage accounts. Locks must be manually configured after resource creation.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_9_3_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_9_3_10 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 9.3.10
cis_level = 2
cis_section_id = 9.3
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Storage