03/02/2023

Resource Locks – Compliance and Cloud Governance

Resource Locks – Compliance and Cloud Governance

Sometimes performing actions without caution will lead to accidental deletion or modification of mission-critical workloads that you have in your environment. In Azure, administrators can use locks to lock a subscription, resource group, or resource from getting deleted or modified. The lock will override any permission that is granted to you via RBAC. For example, even if you are the owner of the subscription, if the resource is locked, your permissions will be limited based on the lock set.

There are two lock levels: CanNotDelete and ReadOnly. In the Azure portal, you will see these as Delete or Read-only, respectively.

  • CanNotDelete means that users are restricted from deleting the resource; however, the resource can be modified. For example, if the CanNotDelete lock is applied to a virtual machine; users can start, stop, or update the VM properties. However, they will not be able to delete the VM.
  • ReadOnly, as the name suggests, means you will be able to read the resource; deletion or modification of the resource is not permitted. Even if you have an Owner role, if this lock is applied to a resource, your permissions will be limited to that of a Reader role.

Locks also follows inheritance as you saw in the case of RBAC and Azure Policy. For instance, if you apply a lock to the subscription, the lock will be inherited to the resource groups and resources that are associated with the subscription. In other words, if you apply a lock to a parent scope, all resources under that scope inherit the lock.

One thing to keep in mind here is locks apply only to control plane actions; they cannot prevent changes that are happening in the data plane. Control plane operations are any API calls made to https://management.azure.com, and the data plane operations are operations executed to a blob or any storage service. When you execute an action on a storage blob, for instance, you will be sending the API calls to the following:

https://<storageAccountName>.blob.core.windows.net

  • The aforementioned links will not be accessible via a browser as these are meant for API calls and would require authentication headers for a proper response. These URLs are used by applications to accomplish Azure management actions programmatically.

Similarly, you can apply locks to these databases, preventing accidental deletion or modification of the resource. However, a user can still log in to the database and amend the data stored in the database. It is especially important to understand the differences between data plane operations and control plane operations. In Microsoft documentation, scenarios are given for you to consider before applying locks. You can refer to the following:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-locks

To create or delete locks, you need to be Owner or User Access Administrator. If you are using custom roles, then Microsoft.Authorization/* or Microsoft.Authorization/locks/* should be there in your actions section.Let’s see how we can add lock to a resource in Azure. The process works the same way for any scope where you want to assign a lock.

Author:
Filed Under: Certification Exams of Microsoft AZ-104, Implementing Azure Policy, Microsoft AZ-104 Certification Exams, Virtual Networks

Leave a Reply

Your email address will not be published. Required fields are marked *