🛡️ Azure Storage Account uses Delete lock🟢⚪
- Contextual name: 🛡️ Storage Account uses Delete lock🟢⚪
- ID:
/ce/ca/azure/storage/account-use-delete-lock - Tags:
- Policy Type:
BEST_PRACTICE - Policy Categories:
SECURITY,RELIABILITY
Description
Description
Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions.
This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining storage accounts that require CannotDelete locks depends on the context and requirements of each organization and environment.
Rationale
Applying a Delete lock on storage accounts protects the availability of data by preventing the accidental or unauthorized deletion of the entire storage account. It is a fundamental protective control that can prevent data loss
... see more
Remediation
Remediation
From Azure Portal
- Navigate to the storage account in the Azure portal.
- Under the
Settingssection, selectLocks.- Select
Add.- Provide a Name, and choose
Deletefor the type of lock.- Add a note about the lock if desired.
From Azure CLI
Replace the information within <> with appropriate values:
az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type CanNotDelete \ --resource-type Microsoft.Storage/storageAccountsFrom Powershell
Replace the information within <> with appropriate values:
New-AzResourceLock -LockLevel CanNotDelete ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v5.0.0 → 💼 9.3.9 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Data Protection and Recovery | 18 | no data |