iCompaas Support

Description:

 Azure Resource Manager (ARM) Delete locks prevent the deletion of Azure resources, including Azure Storage Accounts. Applying a Delete lock to a storage account ensures that the storage account cannot be deleted, whether intentionally or accidentally, by authorized users or administrators. This is crucial for ensuring critical data is protected from accidental deletion and ensuring compliance with regulatory and business requirements.

Rationale:

Implementing Delete locks on Azure Storage Accounts is a best practice to safeguard against unintentional or unauthorized deletions. This lock provides an extra layer of protection for important storage resources, which may contain sensitive or business-critical data. Ensuring that these resources remain intact is critical for maintaining compliance and business continuity.

Impact: 

While enabling the Delete lock prevents deletion of the resource, it can cause issues if legitimate deletions are required. Users will need to remove the lock before performing any deletions, and this process should be carefully controlled to avoid disruptions in operations.

Default Value:

By default, Azure does not apply Delete locks to storage accounts. They must be manually configured or managed through Azure policies.

Pre-requisites:

• Azure account: The account used must have the appropriate permissions to configure resource locks.
  
  

• Azure Storage Account: The storage account must already exist.
  
  

• Permissions: The user configuring the lock should have sufficient permissions, such as Owner or Contributor role at the subscription or resource group level.
  
  

Remediation:

Audit:

To check if a Delete lock is applied to your Azure Storage Accounts:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to the storage account in question.
   
   

3. Check for locks:
   
   

   • In the left pane of the Storage Account, select Locks under the "Settings" section.
     
     

   • Verify if a Delete lock is listed.
     
     

Implementation Steps:

1. Sign in to the Azure portal as a user with appropriate permissions (Owner/Contributor).
   
   

2. Navigate to the Storage Account you want to lock.
   
   

3. Go to the 'Locks' section:
   
   

   • In the left pane, click on Locks under the "Settings" section.
     
     

4. Add a lock:
   
   

   • Click on + Add to create a new lock.
     
     

   • In the Lock Type drop-down, select Delete.
     
     

   • Provide a name and an optional notes field to describe the lock.
     
     

   • Click OK to apply the lock.
     
     

Backout Plan:

To remove the Delete lock, follow these steps:

1. Sign in to the Azure portal as a user with appropriate permissions.
   
   

2. Navigate to the Storage Account where the lock was applied.
   
   

3. Go to the 'Locks' section:
   
   

   • In the left pane, click on Locks under the "Settings" section.
     
     

4. Remove the lock:
   
   

   • Find the Delete lock in the list.
     
     

   • Click on the delete icon next to the lock you want to remove.
     
     

   • Confirm the removal of the lock.
     
     

References:

• Azure Resource Manager Locks
  
  

• Managing Locks on Resources