Description
Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.
Rationaleβ
Given the resource lock functionality is outside of standard Role Based Access Control(RBAC),s it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Impactβ
By adding this role, specific permissions may be granted for managing just resource locks rather than needing to provide the wide Owner or User Access Administrator role, reducing the risk of the user being able to do unintentional damage.
Auditβ
From Azure Portalβ
- In the Azure portal, open a subscription or resource group where you want to view assigned roles.
- Select
Access control (IAM). - Select
Roles. - Search for the custom role named "role_name" e.g. from remediation
Resource Lock Administrator. - Ensure that the role is assigned to the appropriate users.
Referencesβ
- https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
- https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy