Reading Time: 4 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Recently I have been improving the security of my Azure subscriptions. I wanted to protect some resources from accidental deletion and I also want to protect some resources like NSG’s from accidental changes. To accomplish this I decided to use Azure Locks. Azure Locks come in two different levels, CanNotDelete and ReadOnly. In the Azure Portal, you will notice that the locks are called Delete and Read-only.

  • CanNotDelete (Delete) means authorised users still have read and modify access to the resource, but are unable to delete the resource. (Depending on the user’s Role.)
  • ReadOnly (Read-Only) means authorised users can only read the resource. They will not be able to modify or delete the resource. This lock is similar to restricting all authorised users to a Reader role.

You can apply locks at the subscription level, resource group level, or on individual resources. If you set a lock at the subscription level, all resources in that subscription (including ones you add later) inherit the same lock. The same goes for the resource group level.

Note: The most restrictive lock-in inheritance takes precedence.

The roles who can create or delete locks

To be able to create or delete a lock the user will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions if you are creating your Own RBAC roles. If you are just using Built-in roles, then only Owner and User Access Administrator has the power needed.

Let’s create some locks

Locks can be created at the time of creation of a resource using an ARM Template, or by using the Azure Portal or PowerShell. Below I will show you the Portal method and the PowerShell method.

Portal Method

Navigate to the resource, Resource group, or subscription that you would like to add a lock to. In the Settings blade click Locks.

Click Add.

Type a Lock Name and select the lock level (Delete or Read-Only). You can also add a note if you like. Then Click OK.

You will now see the lock in the Locks blade.

To delete the lock you can click on the ellipsis (…) and click on Delete from the option.

The PowerShell Way

To lock a resource using PowerShell you can use the New-AzureRMResourceLock command.

To Lock a resource you can use the following PowerShell cmdlet in the Cloud Shell. Just make sure you change the variables at the top to match your resources. You can also change the -LockLevel to ReadOnly

#Resource Lock
$LockName = "LockCloudWitnes"
$ResourceName = "pixelcloudwitness"
$ResourceType = (Get-AzureRmResource -Name $ResourceName).resourcetype
$RGName ="PIXELLAB"
New-AzureRmResourceLock -LockLevel CanNotDelete -LockName $LockName -ResourceName $ResourceName -ResourceType $ResourceType -ResourceGroupName $RGName
view raw Azure_locks.ps1 hosted with ❤ by GitHub

To lock a resource group you can use the following cmdlet.  Just make sure you change the variables at the top to match your resources. You can also change the -LockLevel to ReadOnly

JSON

To delete a lock on a resource you can use the following cmdlet. Just make sure you change the variables at the top to match your resources.

#Remove Lock from resource
$LockName = "LockCloudWitnes"
$RGName ="PIXELLAB"
$ResourceName = "pixelcloudwitness"
$ResourceType = (Get-AzureRmResource -Name $ResourceName).resourcetype
Remove-AzureRmResourceLock -LockName $LockName -ResourceName $ResourceName -ResourceGroupName $RGName -ResourceType $ResourceType
view raw Azure_locks.ps1 hosted with ❤ by GitHub

You can use the following cmdlet to delete a lock on a resource group.

#Remove Lock from resource group
$LockName = "PIXELLABLock"
$RGName ="PIXELLAB"
Remove-AzureRmResourceLock -LockName $LockName -ResourceGroupName $RGName
view raw Azure_locks.ps1 hosted with ❤ by GitHub

You now know what Azure Locks are and how to create and delete them using both PowerShell and the Portal. By using Locks you are putting an extra line of defence to protect against accidental or malicious changes and/or deletion of your Azure Resources. Just remember your Administrators will have the ability to remove the locks so it’s not 100% perfect, but removing the locks are audited.

I hope you found this article helpful, if you have any questions please reach out.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email
Categories: AzureSecurity

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *