Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Resource Locking Administrator Role

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AccessControl-002

Ensure there is a custom IAM role assigned to manage resource locking within each Microsoft Azure subscription. Azure resource locking is a powerful protection mechanism that can prevent inadvertent modification or deletion of resources running within a Azure cloud account. The Azure resource locking is also a recommended NIST configuration. The permissions required to enable the IAM role to manage cloud resource locking are Microsoft.Authorization/locks/read (gets resource locks at the specified scope), Microsoft.Authorization/locks/write (adds locks at the specified scope), and Microsoft.Authorization/locks/delete (deletes locks at the specified scope).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure resource locks enable you to restrict operations on production Azure cloud resources where modifying or deleting a resource would have a significant negative impact. As an administrator, it may be necessary to lock important resources in order to prevent other users within your organization from mistakenly deleting or modifying them. Because the Azure resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be reasonable to create a resource lock administrator role to prevent inadvertent unlocking of cloud resources. By creating and assigning a resource locking administrator role, you can have the appropriate permissions required for managing just resource locks rather than needing to provide the wide Owner or Contributor role, implementing the Principle of Least Privilege (POLP) and thus preventing any accidental or intentional damage to your Azure cloud resources.

Audit

To determine if there is a custom role assigned to manage resource locking within each Azure subscription, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name (link) of the Azure subscription that you want to examine.

04 In the blade navigation panel, choose Access control (IAM), and select the Roles tab to access the role definitions available for the selected subscription.

05 Select the CustomRole option from the Type dropdown list to return only the custom roles available within the subscription.

06 Select the custom role that you want to examine and choose View in the Details column.

07 Select the JSON tab and check the "actions" property value to identify the permissions defined for the selected role. If the "actions" property value does not include the following actions: "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", and "Microsoft.Authorization/locks/delete", the selected Azure IAM role is not configured to manage resource locking within the selected subscription. If the role permissions include the specified actions, continue the Audit process with the next step.

08 Select the Assignments tab and check the assignments list to determine if the role is assigned to one or more IAM identities. If the assignments list is empty, the selected Azure IAM role is not assigned to an identity, therefore the role is not used to manage resource locking in the selected subscription.

09 Repeat steps no. 6 – 8 for each custom role available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Run role definition list command (Windows/macOS/Linux) using built-in and custom query filters to list the names of all custom role definitions (i.e. IAM roles) created for the current Azure subscription: 

az role definition list
  --custom-role-only true
  --query '[].{roleName:roleName}'
  --output table

02 The command output should return the name of each custom role available in the subscription: 

RoleName
-----------------------
Web API Manager
API Service Contributor
Cloud Data Reader

03 Run role definition list command (OSX/Linux/UNIX) using the name of the custom role that you want to examine as the identifier parameter, to describe the permissions defined for the selected role: 

az role definition list
  --name "Web API Manager"
  --query '[*].permissions[].actions[]'

04 The command output should return an array with the requested information: 

[
  "microsoft.web/apimanagementaccounts/apis/read",
  "microsoft.web/apimanagementaccounts/apis/delete",
  "microsoft.web/apimanagementaccounts/apis/write"
]

If the role definition list command output does not include the following actions: "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", and "Microsoft.Authorization/locks/delete", the selected Azure IAM role is not configured to manage resource locking within the current subscription. If the command output includes the specified actions, continue the Audit process with the next step.

05 Run role assignment list command (OSX/Linux/UNIX) using the name of the role that you want to examine as the identifier parameter, to describe the name of the identity associated with the selected role (assignee): 

az role assignment list
--role "Web API Manager"
--query '[*].principalName'

06 The command output should return the requested information: 

[]

If the role definition list command output returns an empty array (i.e. []), as shown in the example above, the selected Azure IAM role is not assigned to an identity, therefore the role is not used to manage resource locking in the current subscription.

07 Repeat steps no. 3 – 6 for each custom role available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each Microsoft Azure subscription created in your cloud account.

Remediation / Resolution

To create a custom role responsible for managing resource locks in your Microsoft Azure cloud subscription, perform the following actions:

Using Azure CLI

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name of the Azure subscription that you want to access.

04 In the blade navigation panel, choose Access control (IAM), and select the Roles tab to access the role definitions available for the selected subscription.

05 Choose Add and Add custom role to create a new Azure IAM custom role.

06 On the Create a custom role setup page, provide the following information:

  1. For Basics, enter a unique name for the new role in the Custom role name box (e.g. "Resource Lock Administrator"), provide a short description in the Description box (optional), and choose Start from scratch for Baseline permissions. Choose Next to continue.
  2. For Permissions, choose Add permissions, search for Microsoft.Authorization/locks, click on the permissions set returned, choose Actions and select the Read : Get management locks, Write : Add management locks, and Delete : Delete management locks permissions, then choose Add to attach the selected permissions to the new role definition. The permissions selected at this step will enable the role assignee to manage resource locks within the current subscription. Choose Next to continue the setup process.
  3. For Assignable scopes, make sure that your Azure cloud subscription is listed in the Assignable scope section. The subscription listed on this page represents the scope where your custom role will be available for assignment. Choose Next to continue.
  4. From JSON, you can view and download your custom role definition in JSON format. Choose Next to continue.
  5. For Review + create, review the role configuration information, then choose Create to create your new custom role. Choose Ok to return to the Roles page.

07 Select the custom role created at the previous step and choose View in the Details column.

08 Select the Assignments tab and choose Add assignment to assign the role to an IAM identity by performing the following actions:

  1. For Role, find and select the newly created custom role. Choose Next to continue.
  2. For Members, select User, group, or service principal from Assign access to, choose + Select members, select the user to assign the role to, and choose Select. (Optional) You can add a short description for the role assignment in the Description box. Choose Next to continue.
  3. For Review + assign, review the role assignment details, then choose Review + assign to assign the custom role to the specified user. The associated IAM user will be responsible for managing resource locks in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Create the role definition required for the new role and save the content to a JSON file named iam-custom-role-definition.json. Make sure that the following permissions are used: "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", and "Microsoft.Authorization/locks/delete", to enable the role assignee to manage resource locks within the selected subscription. Replace the highlighted information, i.e. <azure-subscription-id>, with your own Azure subscription ID: 

{
  "Name": "Resource Lock Administrator",
  "Description": "Manage Azure cloud resource locks",
  "Actions": [
    "Microsoft.Authorization/locks/read",
    "Microsoft.Authorization/locks/write",
    "Microsoft.Authorization/locks/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": ["/subscriptions/<azure-subscription-id>"]
}

02 Run role definition create command (Windows/macOS/Linux) to create your new IAM custom role using the role definition created at the previous step (i.e. iam-custom-role-definition.json file). Replace <azure-subscription-id> with your own Azure subscription ID: 

az role definition create
  --subscription <azure-subscription-id>
  --role-definition @iam-custom-role-definition.json

03 The command output should return the metadata available for the new custom role: 

{
  "assignableScopes": [
    "/subscriptions/<azure-subscription-id>"
  ],
  "description": "Manage Azure cloud resource locks",
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
  "name": "abcd1234-abcd-1234-abcd-1234abcd1234",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete"
      ],
      "dataActions": [],
      "notActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Resource Lock Administrator",
  "roleType": "CustomRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

04 Run role assignment create command (Windows/macOS/Linux) to assign the newly created role to an IAM user (i.e. assignee). Replace <iam-user-name> with the name of the IAM user that will be responsible for managing resource locks in the selected Azure subscription: 

az role assignment create
  --role "Resource Lock Administrator"
  --assignee "<iam-user-name>"

05 The command output should return the role assignment information: 

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
  "principalType": "User",
  "roleDefinitionId": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
  "scope": "/subscriptions/<azure-subscription-id>",
  "type": "Microsoft.Authorization/roleAssignments"
}

06 Repeat steps no. 1 – 5 for each Microsoft Azure subscription created in your cloud account.

References

Publication date Sep 29, 2021

Related AccessControl rules