iCompaas Support

Description:

Azure Resource Manager (ARM) ReadOnly locks help protect resources by preventing accidental modification or deletion. These locks ensure that resources are protected from any changes while still allowing read access. For Azure Storage Accounts, this lock type ensures that data within the storage account can only be viewed, not modified, which is crucial for compliance and data protection strategies.

Rationale: 

Implementing ReadOnly locks on Azure Storage Accounts ensures that no unauthorized changes or deletions can be made. This is essential for safeguarding critical data in storage, especially for organizations that need to maintain compliance with regulations like SOC 2, ISO 27001, or HIPAA. ReadOnly locks offer an extra layer of protection to prevent operational errors or malicious activity from impacting storage data integrity.

Impact:

While enabling the ReadOnly lock can enhance data security, it may limit the ability of authorized users to make necessary changes or updates to the storage account. Therefore, it is essential to carefully consider which users or groups need modification access to ensure business operations are not hindered.

Default Value:

By default, Azure does not apply ReadOnly locks to storage accounts. It must be manually configured or managed through Azure policies.

Pre-requisites:

• Azure account: The account used must have the appropriate permissions to configure resource locks.
  
  

• Azure Storage Account: The target storage account for the lock must exist.
  
  

• Permissions: The user configuring the lock should have sufficient permissions, such as Owner or Contributor role at the subscription or resource group level.
  
  

Remediation:

Audit:

To check if the ReadOnly lock is applied to your Azure Storage Accounts:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to the resource group or storage account.
   
   

3. Check for locks:
   
   

   • In the left pane of the Storage Account, select Locks under the "Settings" section.
     
     

   • Verify if a ReadOnly lock is listed.
     
     

Implementation Steps:

1. Sign in to the Azure portal as a user with sufficient permissions (Owner/Contributor).
   
   

2. Navigate to the desired Storage Account in the Azure portal.
   
   

3. Go to the 'Locks' section:
   
   

   • In the left pane, click on Locks under the "Settings" section.
     
     

4. Add a lock:
   
   

   • Click on + Add to create a new lock.
     
     

   • In the Lock Type drop-down, select ReadOnly.
     
     

   • Provide a name and an optional notes field to describe the lock.
     
     

   • Click OK to apply the lock.
     
     

Backout Plan:

To remove the ReadOnly lock, follow these steps:

1. Sign in to the Azure portal as a user with appropriate permissions.
   
   

2. Navigate to the Storage Account where the lock was applied.
   
   

3. Go to the 'Locks' section:
   
   

   • In the left pane, click on Locks under the "Settings" section.
     
     

4. Remove the lock:
   
   

   • Find the ReadOnly lock in the list.
     
     

   • Click on the delete icon next to the lock you want to remove.
     
     

   • Confirm the removal of the lock.
     
     

References:

• Azure Resource Manager Locks
  
  

• Managing Locks on Resources