Profile Applicability:

  • Level 1

Description:
 Delete locks prevent accidental or unauthorized deletion of Azure Storage Accounts by restricting delete operations. Applying Resource Manager Delete Locks ensures that critical storage accounts remain protected against deletion until the lock is explicitly removed.

Rationale:
 Applying delete locks safeguards important resources from accidental deletion or malicious actions, supporting operational continuity and data protection. It adds a layer of administrative control to resource management.

Impact:

Pros:

  • Prevents accidental or unauthorized deletion of storage accounts.

  • Enhances resource protection and operational stability.

  • Supports compliance with change management policies.

Cons:

  • Requires additional administrative steps to delete or modify locked resources.

  • May cause delays if locks are not tracked or communicated properly.

Default Value:
 Delete locks are not applied by default and must be configured manually.

Pre-requisites:

  • Permissions to manage resource locks in the Azure subscription.

  • Identification of critical storage accounts requiring protection.

Test Plan:

Using Azure Portal:

  1. Sign in to https://portal.azure.com.

  2. Navigate to the target Storage Account.

  3. Select Locks under the Settings section.

  4. Verify if a Delete lock exists.

Using Azure CLI:

  1. List locks on the storage account:

    # az lock list --resource-group <resource-group> --resource-name <storage-account-name> --resource-type Microsoft.Storage/storageAccounts

  2. Confirm presence of a lock with level set to Delete.

Implementation Plan

Using Azure Portal:

  1. In the storage account’s Locks section, add a new lock.

  2. Set the lock Level to Delete.

  3. Provide a descriptive name and notes, then save.

Using Azure CLI:

  1. Create a delete lock on the storage account:

    # az lock create --name <lock-name> --resource-group <resource-group> --resource-name <storage-account-name> --resource-type Microsoft.Storage/storageAccounts --lock-type Delete

Backout Plan:

Using Azure Portal:

  1. Remove the delete lock when necessary by selecting the lock and deleting it.

  2. Communicate the removal to relevant teams.

Using Azure CLI:

  1. Delete the lock:

    # az lock delete --name <lock-name> --resource-group <resource-group> --resource-type Microsoft.Storage/storageAccounts --resource-name <storage-account-name>

References: