Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 9.3.9 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts

Description

Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions.

This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining storage accounts that require CannotDelete locks depends on the context and requirements of each organization and environment.

Remediation

Remediate from Azure Portal

  1. Navigate to the storage account in the Azure portal.
  2. Under the Settings section, select Locks.
  3. Select Add.
  4. Provide a Name, and choose Delete for the type of lock.
  5. Add a note about the lock if desired.

Remediate from Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \
 --resource-group <resource-group> \
 --resource <storage-account> \
 --lock-type CanNotDelete \
 --resource-type Microsoft.Storage/storageAccounts

Remediate from PowerShell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel CanNotDelete `
  -LockName <lock> `
  -ResourceName <storage-account> `
  -ResourceType Microsoft.Storage/storageAccounts `
  -ResourceGroupName <resource-group>

Default Value

By default, no locks are applied to Azure resources, including storage accounts. Locks must be manually configured after resource creation.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_9_3_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_9_3_9 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 9.3.9
cis_level = 1
cis_section_id = 9.3
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Storage