🛡️ Azure Storage Account uses Delete lock🟢⚪

• Contextual name: 🛡️ Storage Account uses Delete lock🟢⚪
• ID: /ce/ca/azure/storage/account-use-delete-lock
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY, RELIABILITY

Description

Open File

Description

Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions.

This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.

Rationale

Applying a Delete lock on storage accounts protects the availability of data by preventing the accidental or unauthorized deletion of the entire storage account. It is a fundamental protective control that can prevent data loss

Impact

• Prevents the deletion of the Storage account Resource entirely.
• Prevents the deletion of the parent Resource Group containing the locked Storage account resource.
• Does not prevent other control plane operations, including modification of configurations, network settings, containers, and access.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to the storage account in the Azure portal.
2. Under the Settings section, select Locks.
3. Select Add.
4. Provide a Name, and choose Delete for the type of lock.
5. Add a note about the lock if desired.

From Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type CanNotDelete \ --resource-type Microsoft.Storage/storageAccounts

From Powershell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel CanNotDelete ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			16		no data