TL/DR: Azure Resource Locking helps prevent inadvertent resource deletion and modification. For more information see the Azure Resource Locking documentation.
Azure Role Based Access Control (RBAC) allows us to restrict access to resources and resource actions. RBAC should be used as a first line of defense against unwanted resource access. That said, RBAC alone may not be sufficient in all environments. Take for instance the situation where it is desired for a user or other access identity to have full access to all resources (super user). While these identities may have sufficient access to delete and modify resources, we may want to provide an additional layer of defense to prevent inadvertent access.
As an additional layer of access control, we can use Azure Resource locking. Azure resource locks can be applied on individual resources or to resource groups. When applied to a resource group, all resource in that group, including any created after the lock has been put into place will be locked.
A resource lock can be created with one of the following lock levels:
- CanNotDelete - the resource can be modified however not deleted.
- ReadOnly - the resource can neither be deleted or modified.
Once a resource has been locked, the resource lock must first be removed before the resource can be modified or deleted.
In this article I will demonstrate how to configure Azure Resource Locking.
Create and Lock a Storage Account
For this example, a storage account will be created using the Azure CLI. Navigate to shell.azure.com to use cloud shell for this operation.
Create a resource group with the az group create command.
az group create --name myResourceGroup --location eastus
Create a storage account with the az storage account create command. You may need to update the storage account name to make it unique.
az storage account create --name lockstorage --resource-group myResourceGroup
Create a lock on the storage account with the az lock create command. Take note that in this example the lock type is CanNotDelete.
az lock create --name myLock --lock-type CanNotDelete --resource-group myResourceGroup --resource-name lockstorage --resource-type Microsoft.Storage/storageAccounts
To see a list of all locks, use the az lock list command.
az lock list --output table
Now try and delete the storage account with the az storage account delete command. Update the storage account name if needed.
az storage account delete --name lockstorage --resource-group myResourceGroup
You should see that the storage account is locked and cannot be deleted.
The scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/lockstorage' cannot perform delete operation because following scope(s) are locked: '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/lockstorage'. Please remove the lock and try again.
Delete the lock with the az lock delete command. For this you will need the lock ID which is done in-line in the following example using the az lock show command.
az lock delete --ids $(az lock show --name myLock --resource-name lockstorage --resource-group myResourceGroup --resource-type Microsoft.Storage/storageAccounts --query id -o tsv)
And attempt to delete the storage account once again. Update the storage account name if needed.
az storage account delete --name lockstorage --resource-group myResourceGroup
As we can see here, Azure Resource Locking provides us with a 'Run As Administrator' or 'sudo' experience when managing Azure resources and should be considered for all critical Azure workload.
