Description:
Resource locks are used in Azure to prevent resources from being accidentally deleted or modified. By applying resource locks, administrators can ensure that critical resources remain protected from inadvertent or unauthorized changes. However, to administer resource locks (i.e., to create, delete, or modify them), specific permissions must be assigned to users or custom roles.
A custom role in Azure can be created to grant the necessary permissions to administer resource locks. This ensures that only trusted users have the ability to apply or remove locks, maintaining the security and integrity of critical resources.
Rationale:
By creating and assigning a custom role with permissions for managing resource locks, you can:
Enhance security by ensuring only authorized personnel have access to lock critical resources.
Ensure compliance by limiting the number of users who can change the locking status of key resources.
Apply the principle of least privilege by giving only the necessary permissions to users who need to manage resource locks.
Impact:
Creating a custom role with permissions for managing resource locks ensures that the permissions are tightly controlled and only provided to the appropriate users. The impact is minimal as this process adds an extra layer of control over critical resources and prevents unwanted changes. However, ensuring that the custom role has the correct permissions is important to avoid misconfigurations.
Default Value:
By default, no custom roles are configured with the permissions required to administer resource locks. These permissions need to be manually added to a custom role.
Pre-requisites:
Azure subscription.
Owner or Contributor role permissions to create and assign custom roles.
Knowledge of the permissions required to administer resource locks in Azure.
Audit:
Sign in to Azure portal as an Owner or Global Administrator.
Navigate to Azure Active Directory > Roles and administrators.
Ensure that the custom role with permissions to manage resource locks has been assigned to the appropriate users.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Owner or Global Administrator permissions to create and manage custom roles.
Navigate to Azure Active Directory:
In the Azure portal, go to Azure Active Directory.
Create a Custom Role:
Under Manage, select Roles and administrators.
Click on + New custom role to create a custom role.
Provide a name and description for the role (e.g., Resource Lock Administrator).
Assign Permissions for Resource Locks:
In the Permissions section of the custom role creation pane, click + Add permissions.
Search for the following permissions related to resource locks:
Microsoft.Resources/subscriptions/resourceGroups/providers/locks/read – To read the lock status.
Microsoft.Resources/subscriptions/resourceGroups/providers/locks/write – To create or update resource locks.
Microsoft.Resources/subscriptions/resourceGroups/providers/locks/delete – To delete resource locks.
Add these permissions to the custom role.
Example of required permissions:Microsoft.Resources/subscriptions/resourceGroups/providers/locks/read
Microsoft.Resources/subscriptions/resourceGroups/providers/locks/write
Microsoft.Resources/subscriptions/resourceGroups/providers/locks/delete
Review and Create the Custom Role:
Review the permissions and role settings.
Click Create to finalize the creation of the custom role.
Assign the Custom Role to Users:
Once the custom role is created, you need to assign it to users who should have the ability to administer resource locks.
Go to Azure Active Directory > Roles and administrators.
Search for the newly created custom role (e.g., Resource Lock Administrator).
Click on the custom role and select Assign.
Assign the role to the appropriate users or groups.
Verify Role Assignment:
After assigning the custom role, ensure that users can now manage resource locks by testing the creation, deletion, and modification of locks on resources.
Verify that the permissions work as expected by having assigned users apply or modify a resource lock on a test resource.
Test Resource Lock Permissions:
Log in with a user who has been assigned the custom role and attempt to create, modify, or delete a resource lock on a resource.
Ensure that the user can perform the necessary actions on the lock.
Monitor and Review Access:
Periodically review the role assignments to ensure that only the necessary users have the custom role.
Use Azure Monitor to track any changes to resource locks or monitor activities related to resource lock management.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Owner or Global Administrator permissions.
Navigate to Azure Active Directory:
Go to Azure Active Directory in the Azure portal.
Remove or Modify Custom Role Assignments:
In Roles and administrators, find the custom role you created for managing resource locks.
You can remove users or modify the role assignment as needed.
To remove the custom role, click on Assignments, select the user or group, and click Remove.
Verify Role Removal:
Ensure that the users no longer have the ability to administer resource locks by testing that they can no longer perform actions like creating, updating, or deleting locks.
Test Backout Configuration:
Perform a test by attempting to modify or delete a resource lock using a user who no longer has the custom role. Ensure that the operation is denied.