π Azure Storage Account uses ReadOnly lock π’
- Contextual name: π Storage Account uses ReadOnly lock π’
- ID:
/ce/ca/azure/storage/account-use-readonly-lock - Located in: π Azure Storage
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITYRELIABILITY
Descriptionβ
Descriptionβ
Adding an Azure Resource Manager
ReadOnlylock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than aCannotDelete-type of resource manager lock.This feature prevents
POSToperations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations includelistKeyswhich prevents clients from obtaining the account shared access keys.Microsoft does not recommend
ReadOnlylocks for storage accounts with Azure Files and Table service containers.This Azure Resource Manager REST API documentation (spec) provides information about the control plane
POSToperations for Microsoft.Storage resources.Rationaleβ
Applying a
ReadOnlylock on storage accounts protects the confidentiality and availability of data by preventing the accidental or unauthorized deletion of the entire storage account and modification of the account, container properties, or access permissions. It can offer enhanced protection for blob and queue workloads with tradeoffs in usability and compatibility for clients using account shared access keys.... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Navigate to the storage account in the Azure portal.
- Under the
Settingssection, selectLocks.- Select
Add.- Provide a Name, and choose
ReadOnlyfor the type of lock.- Add a note about the lock if desired.
From Azure CLIβ
Replace the information within <> with appropriate values:
az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type ReadOnly \ --resource-type Microsoft.Storage/storageAccountsFrom Powershellβ
Replace the information within <> with appropriate values:
New-AzResourceLock -LockLevel ReadOnly ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 15 |