As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
Azure has a capability (Azure Locks) that allows you to set the lock level to CanNotDelete or ReadOnly to lock a subscription, resource group, or resource.
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
If you are using Azure, is important that you ensure your infrastructure meets your security requirements. You can now reason on lock attributes on each Azure entity is now supported in the platform.
Below is an example of a query you can run in GSL within the Compliance Engine:
Make sure that Azure Resource Group is not accidentally deleted
ResourceGroup should have locks contain-any [ level='CanNotDelete' ]
Dome9 provides powerful capabilities to support the Azure platform. Stay tuned for more updates!