iCompaas Support

Description:

Resource locks in Azure are used to prevent accidental or unauthorized changes to critical resources. By applying resource locks to mission-critical Azure resources (such as Virtual Machines, Databases, Storage Accounts, and App Services), you can prevent them from being accidentally deleted or modified. There are two types of locks:

• CanNotDelete: Prevents a resource from being deleted, but allows changes to be made.
  

• ReadOnly: Prevents both deletion and modification, essentially making the resource read-only.
  

Applying resource locks to mission-critical resources helps protect the integrity and availability of essential workloads and ensures that these resources cannot be inadvertently altered or deleted during operations.

Rationale:

By ensuring that resource locks are set for mission-critical resources, you can safeguard these resources from accidental changes or deletions that might otherwise disrupt business operations. This is particularly important for resources that support production environments, sensitive data, or high-availability services. Resource locks enhance security and operational stability, ensuring that only authorized personnel can modify or delete critical infrastructure.

Impact:

Enabling resource locks ensures that mission-critical resources are protected from accidental deletions or changes. However, it may introduce operational complexity for resource management, as it may require specific permissions to remove or modify locked resources. Careful consideration is needed to balance protection with the need for ongoing resource updates and maintenance.

Default Value:

By default, resource locks are not enabled for any resources in Azure, and users can modify or delete resources unless explicitly restricted.

Pre-requisites:

• Azure subscription with mission-critical resources deployed.
  

• Owner or Contributor role permissions to apply resource locks.
  

• Resource Lock permissions are required to manage locks on resources.
  

Audit:

1. Sign in to the Azure portal as an Owner or Contributor.
   

2. Navigate to the resource (e.g., Virtual Machine, Storage Account, Database) you want to lock.
   

3. Verify that the resource lock is applied to the mission-critical resource and that it is set to CanNotDelete or ReadOnly based on your organizational needs.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Mission-Critical Resource:
   

   • In the Azure portal, go to the specific resource that you want to protect (e.g., Virtual Machines, Storage Accounts, Databases).
     

3. Apply Resource Lock:
   

   • For the resource, go to the Settings section and find Locks under the Operations tab.
     

   • Select + Add to create a new lock.
     

   • Choose either:
     

     • CanNotDelete: This prevents the resource from being deleted but allows changes.
       

     • ReadOnly: This prevents both deletion and modifications, making the resource read-only.
       

   • Name the lock (e.g., "Mission-Critical Resource Lock").
     

   • Click OK to apply the lock.
     

4. Verify the Resource Lock:
   

   • After the lock is applied, go back to the Locks section for the resource to verify that the lock is in place and set to the correct type (e.g., CanNotDelete or ReadOnly).
     

   • Ensure that only the designated users have the necessary permissions to manage or remove the lock.
     

5. Monitor the Lock Status:
   

   • Periodically review and audit the resource lock configurations to ensure that locks are still applied to mission-critical resources.
     

   • Use Azure Policy or Azure Monitor to track compliance and ensure that no critical resource locks are inadvertently removed or modified.
     

6. Use Azure CLI or PowerShell to Automate Lock Application (Optional):
   

   • If you prefer to automate the process of applying resource locks to multiple resources, you can use Azure CLI or PowerShell.

7. Test the Resource Lock:
   

   • Try to delete or modify the locked resource. Ensure that an error message is returned, indicating that the resource is locked and cannot be deleted or modified unless the lock is removed.
     

   • Ensure that the lock prevents unauthorized users from making changes to the critical resource.
     

8. Audit and Review:
   

   • Regularly audit the Locks section in the Azure portal or use Azure CLI to list all resources with locks applied and confirm that the appropriate resources are protected.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Resource Locks:
   

   • Go to the resource that has the lock applied and open the Locks section.
     

3. Remove or Modify the Lock:
   

   • Select the lock that you want to remove or modify (e.g., changing from ReadOnly to CanNotDelete).
     

   • Click Delete or Edit to remove or modify the lock.
     

4. Verify the Lock Removal:
   

   • Confirm that the lock has been removed or modified and that you can now make changes to the resource.
     

5. Test Resource Access:
   

   • Verify that the resource is now accessible and can be modified or deleted as necessary after the lock is removed.
     

References:

• Azure Resource Locks Overview
  

• How to Manage Locks in Azure
  Azure CLI - Resource Lock Commands