Overview
Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion
Rationale
As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to CanNotDeleteor ReadOnlyto achieve this purpose.
CanNotDeletemeans authorized users can still read and modify a resource, but they can't delete the resource.ReadOnlymeans authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Remediation guidance
From Azure Console
- Navigate to the specific Azure Resource or Resource Group
- For each of the mission critical resource, click on
Locks - Click
Add - Give the lock a name and a description, then select the type,
CanNotDeleteorReadOnlyas appropriate
Using Azure Command Line Interface2.0
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
az lock create --name --lock-type --resource-group <resourceGroupName> --resource-name <resourceName> --resource-type <resourceType>
Default Value
By default, no locks are set.
References
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Platform
Use the provider or platform baseline, preventive policy, and IaC modules to enforce this setting consistently when many resources are affected.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
No stored query bodies are attached to this entry.
