Azure Introduction
Azure Pricing
Azure Threats
Enable Azure Resource Locks
More Info:
Ensure that all your mission critical Azure cloud resources have resource locks enabled so that certain users are not be able to delete or modify these resources in order to help prevent accidental and malicious changes or deletion.
Risk Level
High
Address
Security
Compliance Standards
CISAZURE, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Enable Azure Resource Locks” for Azure using the Azure console, you can follow these step-by-step instructions:
-
Log in to the Azure portal (https://portal.azure.com/).
-
Navigate to the resource group that you want to apply the lock to.
-
Select the resource group and click on “Locks” under the “Settings” section in the left-hand menu.
-
Click on the ”+ Add” button to create a new lock.
-
In the “Add lock” panel, provide a name for the lock and select the lock type as “CanNotDelete” from the dropdown menu.
-
Optionally, you can add a description for the lock.
-
Click on the “OK” button to create the lock.
-
The lock is now applied to the resource group, and it will prevent any user from accidentally deleting any resources within the group.
-
Repeat the above steps for all the resource groups that require a lock.
By following these steps, you can remediate the misconfiguration “Enable Azure Resource Locks” for Azure using the Azure console.
To remediate the misconfiguration of not having Azure Resource Locks enabled, you can follow these steps using Azure CLI:
- Open Azure CLI in your terminal or command prompt.
- Login to your Azure account using the command
az login. - Once you are logged in, you need to identify the resources that do not have resource locks enabled. You can do this by running the following command:
This command will list all the resources that do not have a resource lock enabled.
az resource list --query "[?locks == null].{Name: name, ID: id, Type: type}" - Once you have identified the resources, you can enable resource locks by running the following command:
Here, you need to replace
az lock create --name <lock-name> --resource-group <resource-group-name> --resource-name <resource-name> --resource-type <resource-type> --lock-type CanNotDelete<lock-name>with a name for the lock,<resource-group-name>with the name of the resource group containing the resource,<resource-name>with the name of the resource, and<resource-type>with the type of the resource. The--lock-typeparameter is set toCanNotDeleteto prevent accidental deletion of the resource. - Repeat step 4 for all the resources that do not have resource locks enabled.
By following these steps, you can remediate the misconfiguration of not having Azure Resource Locks enabled.
To remediate the misconfiguration of “Enable Azure Resource Locks” using Python, you can use the following steps:
Step 1: Import the necessary libraries and authenticate to Azure using the Azure Identity library.
from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.resource.resources.models import ManagementLockObject, LockLevel
credential = DefaultAzureCredential()
resource_client = ResourceManagementClient(credential, subscription_id)
Step 2: Define the scope of the lock. In this example, we will define it at the resource group level.
resource_group_name = 'my-resource-group'
lock_name = 'my-lock-name'
scope = f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}"
Step 3: Create a new lock object with the desired lock level and notes.
lock_level = LockLevel.can_not_delete
notes = 'This lock prevents accidental deletion of resources in the resource group.'
lock_object = ManagementLockObject(level=lock_level, notes=notes)
Step 4: Create the lock using the ResourceManagementClient.
resource_client.management_locks.create_or_update(scope=scope, lock_name=lock_name, parameters=lock_object)
Step 5: Verify that the lock was created successfully by checking the list of locks at the resource group level.
locks = resource_client.management_locks.list_at_resource_group_level(resource_group_name)
for lock in locks:
print(lock.name)
By following these steps, you can remediate the misconfiguration of “Enable Azure Resource Locks” using Python.