Custom Role should be assigned for administering resource locks¶
Description¶
Resource lock functionality is a powerful configuration setting for preventing modification/deletion of sensitive resources. A best practice is to create a tightly scoped custom role rather than a broader “owner” or “contributor” role for administering resource locks, to reduce the risk of unintentional damage.
Remediation Steps¶
Azure Portal¶
Navigate to the subscription or resource group where you want the custom role to be assignable.
Select Access control (IAM).
Select Add.
Select Add custom role.
In the Custom Role Name field, enter Resource Lock Administrator.
In the Description field, enter Can Administer Resource Locks.
For Baseline permissions, select Start from scratch.
Click Next.
In the Permissions tab, select Add permissions.
In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions.
Select the checkbox next to the permission called Microsoft.Authorization/locks.
Click Add.
Click Review + create.
Click Create.
Assign the newly created role to the appropriate user.
PowerShell¶
Below is a PowerShell definition for a resource lock administrator role created at an Azure Management group level:
Import-Module Az.Accounts
Connect-AzAccount
$role = Get-AzRoleDefinition "User Access Administrator"
$role.Id = $null
$role.Name = "Resource Lock Administrator"
$role.Description = "Can Administer Resource Locks"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/locks/*") $role.AssignableScopes.Clear()
* Scope at the Management group level Management group
$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/ MG-Name")
New-AzRoleDefinition -Role $role
Get-AzureRmRoleDefinition "Resource Lock Administrator"