Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Azure Resource Locks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Locks-001

Ensure that all your mission critical Azure cloud resources have resource locks enabled so that certain users are not be able to delete or modify these resources in order to help prevent accidental and malicious changes or deletion.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure resource locks enable you to restrict operations on production Azure cloud resources where modifying or deleting a resource would have a significant negative impact. As an Azure account administrator, it may be necessary to lock an important resource, a resource group, or even a subscription, in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

"CanNotDelete" – when authorized users can still read and modify a cloud resource, but they cant delete the resource.

"ReadOnly" – when authorized users can read a cloud resource, but they cant delete or update the resource. Using this resource lock level is similar to restricting all authorized users to the permissions granted by the "Reader" role.

Note: Resource locks can be applied to an Azure cloud resource, a resource group, or even to an Azure subscription. This conformity rule demonstrates how to determine (audit) and implement (remediation) resource locks at the individual resource level using a Microsoft Azure Key Vault as an example.


Audit

To determine if your mission critical resources have resource locks configured, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list only the Key Vault instances provisioned in the selected subscription.

05 Click on the name (link) of the mission critical Key Vault instance that you want to examine.

06 In the navigation panel, under Settings, select Locks to access the resource locks set for the selected Azure Key Vault.

07 On the Locks page, check for any available "CanNotDelete" or "ReadOnly" locks, based on the selected resource requirements. If the Key Vault instance does not have the appropriate resource lock configured, or there are no resource locks available at all and the following message is displayed: "This resource has no locks.", the selected Microsoft Azure Key Vault does not have resource locks enabled.

08 Repeat steps no. 5 – 7 for other mission critical Azure Key Vault instances available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the IDs of all Key Vault instances provisioned in the current Azure subscription:

az keyvault list
	--query '[*].id'

02 The command output should return the requested Microsoft Azure resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-app-vault",
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-warehouse-data-vault"
]

03 Run lock list command (Windows/macOS/Linux) using the ID of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the name and the level of the resource lock set for the selected vault:

az lock list
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-app-vault"
	--query '[*].{"name":name,"level":level}'

04 Based on the resource lock configuration, the command output should return one of the following:

  1. If the command output returns the name and the level (i.e. "CanNotDelete" or "ReadOnly") of the resource lock but the lock level is not the required one, as shown in the example below where the "ReadOnly" lock is expected, the selected Microsoft Azure Key Vault does not have the appropriate resource lock enabled:
    [
      {
        "name": "cc-delete-lock",    
        "level": "CanNotDelete"
      }
    ]
    
  2. If the lock list command output returns an empty array (i.e. []), as shown in the example below, the selected Microsoft Azure Key Vault does not have resource locks enabled at all:
    []
    

05 Repeat step no. 3 and 4 for other mission critical Azure Key Vault instances available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable resource locks for your mission critical Azure cloud resources (in this case Key Vault instances), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all the Key Vault instances provisioned in the selected subscription.

05 Click on the name of the mission critical Key Vault instance that you want to lock down (see Audit section part I to identify the right resource).

06 In the navigation panel, under Settings, select Locks to access the resource locks configuration page.

07 On the Locks page, click +Add to open the Add lock panel and provide the following details:

  1. In the Lock name box, type the name of the new resource lock.
  2. Select the appropriate type (level) of lock restriction from the Lock type dropdown list. Use Read-only when you need authorized users to read the resource, without being able to update or delete the resource. Select Delete when you need authorized users to read and update the resource, without being able to delete the resource.
  3. In the Notes box, provide a short description of the lock restriction implemented.
  4. Click Ok to complete the setup process and enable the resource lock.

08 Repeat steps no. 5 – 7 for other mission critical Azure Key Vault instances available in the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run lock create command (Windows/macOS/Linux) using the ID of the mission critical Key Vault instance that you want to lock down as identifier parameter (see Audit section part II to identify the right Azure resource) to enable resource locks for the selected Azure Key Vault instance. For example, the following command request locks down a Microsoft Azure Key Vault identified by the ID "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-app-vault", using the "ReadOnly" type (level) of lock restriction which allows authorized users to read the resource, without being able to update or delete the resource:

az lock create
	--name cc-read-only-lock
	--lock-type ReadOnly
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-app-vault"

02 The command output should return the metadata for the newly created resource lock:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault/providers/Microsoft.Authorization/locks/cc-read-only-lock",
  "level": "ReadOnly",
  "name": "cc-read-only-lock",
  "notes": null,
  "owners": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "type": "Microsoft.Authorization/locks"
}

03 Repeat step no. 1 and 2 for other mission critical Azure Key Vault instances available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019