Control: 1.23 Ensure Custom Role is assigned for Administering Resource Locks
Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.
Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
- In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
Access control (IAM)from side bar
Addfrom top bar
- Select Add custom role
- In the Custom Role Name field enter
Resource Lock Administrator
- In the Description field enter Can
Administer Resource Locks
- For Baseline permissions select Start from scratch
- In the Permissions tab select Add permissions
- in the Search for a permission box, type in
Microsoft.Authorization/locksto search for permissions.
- Select the check box next to the permission called
- click add
- Click Review+create
- Click Create
- Assign the newly created role to the appropriate user.
steampipe check azure_compliance.control.cis_v130_1_23
This control uses a named query:ad_manual_control