MICOSOFT AZURE : TOOLS TO PREVENT ACCIDENTAL DELETION
Prevent accidental deletion of azure resources
✎ Co-Author — Venkatesh Sankaranarayanan
❑ Overview
Accidental deletion of critical resources is one of the most common scenarios faced in our career at some point of time. Infact now, with most Organizations adopting “Infrastructure as a Code”, the risk of accidental resource deletion during code creation or testing due to a small bug in the code has increased since a single line of code if coded incorrectly may delete the existing setup.
We need to have a strong governance framework in our organization to govern our environment and protect the resources without enforcing restrictions on the developers & empowering them to experiment and take advantage of cloud’s speed and agility.
In this story, I will cover how to use “CanNotDelete” lock in Azure to prevent accidental or malicious deletion of our most important resources along with best practices while implementing the same.
❑ Different Lock Types
There are two types of locks: read-only and delete locks
▣ Delete lock allows authorized users to read and modify a resource, but they can’t delete the resource
▣ Read-only lock is similar to assigning a user reader access which allows authorized users to read but prevents any modifications(delete or update) to the Azure resources
❑ Permissions needed to create or delete locks
To create or delete management locks, you need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. By default, Only Owner and User Access Administrator of the built-in roles are granted those actions.
❑ Lock & Scope
- The locks can be assigned at the resource level, resource group level and also at the subscription level
- When a lock is applied at a parent scope, all resources within that scope inherit the same lock. Even resources which are added later inherit the lock from the parent.
- The most restrictive lock in the inheritance takes precedence.
- Unlike role-based access control, you use management locks to apply a restriction across all users and roles.
❑ How to lock a resource group ?
Locks can be applied during resource creation time of creation of a resource inside an ARM template, or later using the portal or PowerShell.
▣ Using Azure Portal
➊ Locate the resource you wish to lock and select it. In our example we have selected the “ADFDEVOPSTEST” resource group.
➋ In the main blade, click the “Locks” icon
- Click Add
- Give the lock a name and description, then select the type, deletion or read only.
- Click OK to save the lock: The resource is now protected.
4. To remove the lock, simply come back to the same interface, select the lock, and then go to delete
Now when we try to delete a resource within this Resource Group, the deletion will fail as we have applied delete lock.
▣ Using Azure CLI
The following command can be used to add a lock to an existing resource group
az group lock create --lock-type CanNotDelete -n adfdevopstestrgdellock -g ADFDEVOPSTESTPlease refer Microsoft documentation for more details —
az account lock | Microsoft Docs (Subscription Level lock)
az group lock | Microsoft Docs (Resource Group Level lock)
az resource lock | Microsoft Docs (Resource Level lock)
▣ Using Powershell
The following Powershell command can be used to add a lock to an existing resource group
New-AzResourceLock -LockName adfdevopstestrgdellock -LockLevel CanNotDelete -ResourceGroupName ADFDEVOPSTEST -ForceSet-AzureRmResourceLock (AzureRM.Resources) | Microsoft Docs (Resource Level & Resource Group level lock)
❑ How to check/audit if the locks not applied?
For organizations wherein the workloads are already running how will you check if the locks are applied or not?
☛ You can create an Azure policy to check/audit all resource groups for within a subscription where delete locks are not applied.
Please find below steps to create Azure Policy
➊ Go to Azure Portal, Click in the search box, type “Policy” & select “Policy”
➋ In Policy, Select “Definitions” & create a new “Policy Definition”
➌ In “Policy Definition”, Select the subscription, provide a unique policy name, provide a policy description, provide a new category & Policy rules
➍ Please refer below policy definition code that audits all resource groups which don’t have “CanNotDelete” locks
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
}
}
}
}➎ Assign the newly created Policy Definition by selecting “Assignments” & “Assign Policy”
➏ Select scope, policy definition & select the newly created policy definition
➐ Provide Unique “Assignment name”, “Description”, “Policy enforcement” , “Non-Compliance Message” & select “Review + create” & click on “Create” after confirming
➑ Select the newly assigned policy & click on “view compliance” to get the compliant state & resource wise compliance. In the below example, Resource Group “vms” & “rgdatalake” are non compliant and don’t have delete lock.
➒ You can now manually apply “delete lock” on all resource group & check compliance. Also, you can implement policy using effect ‘deployIfNotExists’. This effect contains the ARM template to be deployed to Non-Complaint resources. Deployment of the ARM template is done through Remediation Action.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/{roleDefinitionId}", "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{ManagedIdentityOfAssignment}"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2015-01-01",
"name": "RGLock",
"properties": {
"level": "CanNotDelete",
"notes": "Applied thru policy"
}
}
]
}
}
}
}
}
},
"parameters": {}
}I hope this blog helped you in understanding different types of locks in Azure & how to prevent accidental or malicious deletion of most important resources using strong governance framework(Policies).
❑ What if the owner accidentally removes the lock?
Please refer part-2 of story to learn how to set up an alert on accidental removal of Resource locks.
Happy Learning!!!
Please Note — All opinions expressed here are my personal views and not of my employer.
Thought of the moment-
“Although the world is full of suffering, it is also full of the overcoming of it.” — Helen Keller
