π Azure Storage Account uses Delete lock π’
- Contextual name: π Storage Account uses Delete lock π’
- ID:
/ce/ca/azure/storage/account-use-delete-lock - Located in: π Azure Storage
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITYRELIABILITY
Descriptionβ
Descriptionβ
Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions.
This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.
Rationaleβ
Applying a Delete lock on storage accounts protects the availability of data by preventing the accidental or unauthorized deletion of the entire storage account. It is a fundamental protective control that can prevent data loss
Impactβ
- Prevents the deletion of the Storage account Resource entirely.
- Prevents the deletion of the parent Resource Group containing the locked Storage account resource.
- Does not prevent other control plane operations, including modification of configurations, network settings, containers, and access.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Navigate to the storage account in the Azure portal.
- Under the
Settingssection, selectLocks.- Select
Add.- Provide a Name, and choose
Deletefor the type of lock.- Add a note about the lock if desired.
From Azure CLIβ
Replace the information within <> with appropriate values:
az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type CanNotDelete \ --resource-type Microsoft.Storage/storageAccountsFrom Powershellβ
Replace the information within <> with appropriate values:
New-AzResourceLock -LockLevel CanNotDelete ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 15 |