Description
This policy ensures that a custom role is assigned permissions for administering resource locks. This helps to ensure that only authorized users have the ability to create, update, and delete resource locks.
Rationale
Resource locks are a powerful tool for protecting Azure resources from unauthorized changes. However, they can only be used effectively if they are properly managed. By assigning a custom role with the appropriate permissions, we can ensure that only authorized users have the ability to create, update, and delete resource locks.
Impact
If this policy is not followed, unauthorized users may be able to create, update, or delete resource locks. This could lead to the unauthorized modification or deletion of Azure resources.
Default Value
Azure will initially recommend that no custom role is assigned permissions for administering resource locks. However, this policy specifies that a custom role with the appropriate permissions must be assigned.
Prerequisites
Access to the Azure portal or Azure CLI
The ability to manage Azure roles
Remediation Steps
- Log in to the Azure portal or Azure CLI.
- Go to the Roles blade.
- Click the Create a role button.
- In the Role name field, enter a name for the custom role.
- In the Role description field, enter a description for the custom role.
- In the Permissions section, select the Microsoft.Authorization/locks/read, Microsoft.Authorization/locks/write, and Microsoft.Authorization/locks/delete permissions.
- Click the Create button.
Test Plan
To test whether this policy is being followed, you can follow these steps:
- Log in to the Azure portal or Azure CLI.
- Go to the Roles blade.
- Select the custom role that you created.
- In the Permissions section, verify that the Microsoft.Authorization/locks/read, Microsoft.Authorization/locks/write, and Microsoft.Authorization/locks/delete permissions are assigned.
Implementation Plan
To implement this policy, you can follow these steps:
- Create a custom role with the appropriate permissions.
- Assign the custom role to the users or groups that need to be able to administer resource locks.
Azure Console
To create a custom role in the Azure portal, follow these steps:
- Log in to the Azure portal.
- Go to the Roles blade.
- Click the Create a role button.
- In the Role name field, enter a name for the custom role.
- In the Role description field, enter a description for the custom role.
- In the Permissions section, select the Microsoft.Authorization/locks/read, Microsoft.Authorization/locks/write, and Microsoft.Authorization/locks/delete permissions.
- Click the Create button.
Azure CLI
To create a custom role using the Azure CLI, you can use the following command:
az role definition create --role-name mycustomrole --permissions "Microsoft.Authorization/locks/read,Microsoft.Authorization/locks/write,Microsoft.Authorization/locks/delete"
Backout Plan
To back out of this change, you can follow these steps:
- Delete the custom role that you created.
- Revoke the custom role from the users or groups that were assigned it.
Note
This policy does not apply to resource locks that are created with the built-in Owner or User Access Administrator roles. These roles already have the permissions necessary to administer resource locks.
Reference
Azure Policy documentation: https://docs.microsoft.com/en-us/azure/governance/policy/
Azure Resource Locks documentation: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources