iCompaas Support

Profile Applicability:

• Level 2

Description:
 ReadOnly locks restrict modifications and deletions on Azure Storage Accounts by allowing only read operations. Considering and applying ReadOnly locks helps prevent accidental or unauthorized changes, preserving the integrity and availability of critical storage resources.

Rationale:
 Applying ReadOnly locks enforces strict control over storage accounts, minimizing risks of configuration drift, unintended changes, or disruptions. This supports compliance with governance and change management policies.

Impact:

Pros:

• Prevents modifications and deletions to storage accounts.
  

• Enhances stability and security of critical resources.
  

• Supports audit and compliance requirements.
  

Cons:

• Limits legitimate updates; requires lock removal for changes.
  

• May cause operational delays if not managed properly.
  

Default Value:
 ReadOnly locks are not applied by default and require manual configuration.

Pre-requisites:

• Permissions to manage resource locks in Azure.
  

• Identification of storage accounts requiring read-only protection.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to the Storage Account.
   

3. Under Locks in the Settings section, check for ReadOnly locks.
   

4. Verify presence or absence of ReadOnly locks.
   

Using Azure CLI:

1. List locks on the storage account:
   

   # az lock list --resource-group <resource-group> --resource-name <storage-account-name> --resource-type Microsoft.Storage/storageAccounts

2. Confirm if any lock has level set to ReadOnly.
   

Implementation Plan

Using Azure Portal:

1. Add a new lock in the storage account’s Locks section.
   

2. Set the lock Level to ReadOnly.
   

3. Provide a name and description, then save.
   

Using Azure CLI:

1. Create a ReadOnly lock on the storage account:
   

   # az lock create --name <lock-name> --resource-group <resource-group> --resource-name <storage-account-name> --resource-type Microsoft.Storage/storageAccounts --lock-type ReadOnly

Backout Plan

Using Azure Portal:

1. Remove the ReadOnly lock by deleting it when changes are required.
   

2. Notify relevant teams of the removal.
   

Using Azure CLI:

1. Delete the lock:
   

   # az lock delete --name <lock-name> --resource-group <resource-group> --resource-type Microsoft.Storage/storageAccounts --resource-name <storage-account-name>

References:

• Manage Azure Resource Locks
  Lock Levels in Azure