Azure Resource Locking feature helps to prevent deletion and modification of Azure Resources on which the lock is been applied. Now you might be wondering how it’s different and advantages compared to Azure RBAC (Role-Based Access Control)? RBAC is used as the first line of defense against restricting access to Azure Resources. Using RBAC you can restrict access to resources and resource actions. RBAC alone will not be sufficient across all environments especially from the Test environment onwards. RBAC and Resource lock doesn’t conflict with each other rather they complement and should be applied as standard practice/pattern across all your Azure Subscriptions in your organization.
Assume you are an Administrator, which means you have full access to all your resources. With Resource Lock applying it provides a way for administrators to lock down Azure resources to prevent deletion and modification of a resource. Resource lock applies to all users regardless of their roles.
There are 2 types of Resource Locks:
- CanNotDelete — It allows the resource to be modified however not deleted.
- ReadOnly — the resource can neither be deleted nor modified. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Pre-Requisites:
For creating or deleting Resource locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only the Owner and User Access Administrator are granted those actions.
Applying Resource Lock using Azure Portal
- Navigate to the resource/ resource group/ subscription you wish to lock in the Azure Portal
- In the main blade select the “Locks” icon
- Provide lock name and description and select the lock type as Delete or Read-only.
- Click OK to save the lock. The resource is now protected.
- In the future, if you want to change the lock type or delete the lock, navigate to “Resource” — “Locks”
Note: You can automate the process of applying Resource Lock using ARM template or Azure PowerShell or Azure CLI or Rest API.
Resource locks can be applied to subscriptions, resource groups, or individual resources. When you lock at the subscription level, all resources in that subscription including the ones added later will inherit the same lock. Considerations before applying locks can be found here
Reference:
https://docs.microsoft.com/en-gb/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
Originally published at https://rajurh.blogspot.com on April 26, 2021.
