🛡️ Azure Storage Account uses ReadOnly lock🟢⚪

• Contextual name: 🛡️ Storage Account uses ReadOnly lock🟢⚪
• ID: /ce/ca/azure/storage/account-use-readonly-lock
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY, RELIABILITY

Description

Open File

Description

Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete-type of resource manager lock.

This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations include listKeys which prevents clients from obtaining the account shared access keys.

Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers.

This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for Microsoft.Storage resources.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining storage accounts that require ReadOnly locks depends on the context and requirements of each organization and environment.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to the storage account in the Azure portal.
2. Under the Settings section, select Locks.
3. Select Add.
4. Provide a Name, and choose ReadOnly for the type of lock.
5. Add a note about the lock if desired.

From Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type ReadOnly \ --resource-type Microsoft.Storage/storageAccounts

From Powershell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel ReadOnly ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 9.3.10 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			18		no data