Use Resource Locks to prevent accidental changes in Azure

Courtesy of 8K Miles

A resource lock prevents resources from being accidentally deleted or changed.

Imagine a scenario where an IT administrator was performing routine cleanup of unused resources in Azure. The admin accidentally deleted resources that appeared to be unused. Later on through an internal escalation channel the admin realized these resources were critical to an application.

How can resource locks help prevent this kind of incidents from happening in the future?

How do I manage resource locks?

You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.

To view, add, or delete locks in the Azure portal, go to the Settings section of any resource’s Settings pane in the Azure portal. Here’s an example that shows how to add a resource lock from the Azure portal. You’ll apply a similar resource lock in the next part.

What levels of locking are available?

You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly.

• CanNotDelete means authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
• means authorized people can read a resource, but they can’t delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.

Enough talking, let’s get started.

Configure locks

Azure Portal

1. In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.

2. To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently selected resource inherits the lock from the parent. For example, you could lock the resource group to apply a lock to all its resources.

Azure CLI

To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name dont-delete-rg --lock-type CanNotDelete --resource-group myRG

How do I delete or change a locked resource?

Although locking helps prevent accidental changes, you can still make changes by following a two-step process.

To modify a locked resource, you must first remove the lock. After you remove the lock, you can apply any action you have permissions to perform. This additional step allows the action to be taken, but it helps protect your administrators from doing something they might not have intended to do.

Resource locks apply regardless of RBAC permissions. Even if you’re an owner of the resource, you must still remove the lock before you can perform the blocked activity.

To delete/edit the lock, click on the Delete/Edit button.

What if a cloud administrator accidentally deletes a resource lock? If the resource lock is removed, its associated resources can be changed or deleted.

Summary

To make the protection process more robust, it is recommended to combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. We’ll talk about Azure Blueprints in a separate blog or review the link provided above.