🛡️ Azure Storage Account uses ReadOnly lock🟢⚪

• Contextual name: 🛡️ Storage Account uses ReadOnly lock🟢⚪
• ID: /ce/ca/azure/storage/account-use-readonly-lock
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY, RELIABILITY

Description

Open File

Description

Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete-type of resource manager lock.

This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations include listKeys which prevents clients from obtaining the account shared access keys.

Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers.

This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for Microsoft.Storage resources.

Rationale

Applying a ReadOnly lock on storage accounts protects the confidentiality and availability of data by preventing the accidental or unauthorized deletion of the entire storage account and modification of the account, container properties, or access permissions. It can offer enhanced protection for blob and queue workloads with tradeoffs in usability and compatibility for clients using account shared access keys.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to the storage account in the Azure portal.
2. Under the Settings section, select Locks.
3. Select Add.
4. Provide a Name, and choose ReadOnly for the type of lock.
5. Add a note about the lock if desired.

From Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \ --resource-group <resource-group> \ --resource <storage-account> \ --lock-type ReadOnly \ --resource-type Microsoft.Storage/storageAccounts

From Powershell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel ReadOnly ` -LockName <lock> ` -ResourceName <storage-account> ` -ResourceType Microsoft.Storage/storageAccounts ` -ResourceGroupName <resource-group>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			16		no data