Recently I have been improving the security of my Azure subscriptions. I wanted to protect some resources from accidental deletion and I also want to protect some resources like NSG’s from accidental changes. To accomplish this I decided to use Azure Locks. Azure Locks come in two different levels, CanNotDelete and ReadOnly. In the Azure Portal, you will notice that the locks are called Delete and Read-only.
CanNotDelete (Delete) means authorised users stillhave read andmodify access to the resource, but are unable to delete the resource. (Depending on theuser’s Role.)- ReadOnly (Read-Only) means authorised users can only read the resource. They will not be able to modify or delete the resource. This lock is similar to restricting all authorised users to a Reader role.
You can apply locks at the subscription level, resource group level, or on individual resources. If you set a lock at the subscription level, all resources in that subscription (including ones you add later) inherit the same lock. The same goes for the resource group level.
Note: The most restrictive lock-in inheritance takes precedence.
The roles who can create or delete locks
To be able to create or delete a lock the user will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions if you are creating your Own RBAC roles. If you are just using Built-in roles, then only Owner and User Access Administrator has the power needed.
Let’s create some locks
Locks can be created at the time of creation of a resource using an ARM Template, or by using the Azure Portal or PowerShell. Below I will show you the Portal method and the PowerShell method.
Portal Method
Navigate to the resource, Resource group, or subscription that you would like to add a lock
Click Add.
Type a Lock Name and select the lock level (Delete or Read-Only). You can also add a note
You will now see the lock in the Locks blade.
To delete the lock you can click on the ellipsis (…) and click on Delete from the option.
The PowerShell Way
To lock a resource using PowerShell you can use the New-AzureRMResourceLock command.
To Lock a resource you can use the following PowerShell cmdlet in the Cloud Shell. Just make sure you change the variables at the top to match your resources. You can also change the -LockLevel to ReadOnly
#Resource Lock | |
$LockName = "LockCloudWitnes" | |
$ResourceName = "pixelcloudwitness" | |
$ResourceType = (Get-AzureRmResource -Name $ResourceName).resourcetype | |
$RGName ="PIXELLAB" | |
New-AzureRmResourceLock -LockLevel CanNotDelete -LockName $LockName -ResourceName $ResourceName -ResourceType $ResourceType -ResourceGroupName $RGName |
To lock a resource group you can use the following cmdlet. Just make sure you change the variables at the top to match your resources. You can also change the -LockLevel to ReadOnly
To delete a lock on a resource you can use the following cmdlet. Just make sure you change the variables at the top to match your resources.
#Remove Lock from resource | |
$LockName = "LockCloudWitnes" | |
$RGName ="PIXELLAB" | |
$ResourceName = "pixelcloudwitness" | |
$ResourceType = (Get-AzureRmResource -Name $ResourceName).resourcetype | |
Remove-AzureRmResourceLock -LockName $LockName -ResourceName $ResourceName -ResourceGroupName $RGName -ResourceType $ResourceType |
You can use the following cmdlet to delete a lock on a resource group.
#Remove Lock from resource group | |
$LockName = "PIXELLABLock" | |
$RGName ="PIXELLAB" | |
Remove-AzureRmResourceLock -LockName $LockName -ResourceGroupName $RGName |
You now know what Azure Locks are and how to create and delete them using both PowerShell and the Portal. By using Locks you are putting an extra line of defence to protect against accidental or malicious changes and/or deletion of your Azure Resources. Just remember your Administrators will have the ability to remove the locks so
I hope you found this article helpful, if you have any questions please reach out.
0 Comments