More Info:

Ensure there is a custom IAM role assigned to manage resource locking within each Microsoft Azure subscription. Azure resource locking is a powerful protection mechanism that can prevent inadvertent modification or deletion of resources running within a Azure cloud account

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the “Resource Locking Administrator Role” misconfiguration in Azure using the Azure console, follow these steps:

  1. Log in to the Azure portal (https://portal.azure.com/)
  2. Click on “Azure Active Directory” from the left-hand menu.
  3. Click on “Roles and administrators” under “Security”.
  4. Click on “Add role assignment”.
  5. In the “Add role assignment” blade, select “Resource Lock Contributor” from the “Role” drop-down menu.
  6. In the “Select” field, search for the user or group that needs the Resource Lock Contributor role.
  7. Select the user or group from the search results.
  8. Click on “Save” to assign the Resource Lock Contributor role to the selected user or group.

By assigning the Resource Lock Contributor role to the appropriate user or group, you can ensure that they have the necessary permissions to create and manage resource locks in Azure. This will help prevent accidental deletion or modification of critical resources.

Using CLI

To remediate the “Resource Locking Administrator Role” misconfiguration in Azure using Azure CLI, follow these steps:

  1. Open the Azure CLI and log in to your Azure account.

  2. Identify the scope of the Azure resource group or resource that needs to be locked.

  3. Create a new role assignment for the Resource Locking Administrator role using the following command:

    az role assignment create --role "Resource Locking Administrator" --assignee <object ID or email address> --scope <resource group or resource ID>

    Replace <object ID or email address> with the email address or object ID of the user or group you want to assign the role to, and replace <resource group or resource ID> with the ID of the resource group or resource you want to lock.

  4. Verify that the role assignment was created successfully by running the following command:

    az role assignment list --role "Resource Locking Administrator" --all

    This command will list all role assignments that have the Resource Locking Administrator role assigned to them.

  5. Test the resource locking by attempting to delete the locked resource or modify its properties. You should receive an error message indicating that the resource is locked.

By following these steps, you can remediate the “Resource Locking Administrator Role” misconfiguration in Azure using Azure CLI.

Using Python

To remediate the “Resource Locking Administrator Role” misconfiguration in Azure using Python, you can follow the below steps:

  1. Install the Azure SDK for Python using pip:
pip install azure-mgmt-resource
  1. Authenticate with Azure using your credentials:
from azure.common.credentials import UserPassCredentials
from azure.mgmt.resource import ResourceManagementClient

# Replace the values with your credentials
subscription_id = 'your-subscription-id'
username = 'your-username'
password = 'your-password'
tenant_id = 'your-tenant-id'

credentials = UserPassCredentials(username, password, tenant_id)
resource_client = ResourceManagementClient(credentials, subscription_id)
  1. Retrieve the Resource Locking Administrator Role:
role_name = 'Resource Locking Administrator'

roles = resource_client.role_definitions.list()
role_definition = next((r for r in roles if r.name == role_name), None)
  1. If the role does not exist, create it:
if not role_definition:
    role_definition = resource_client.role_definitions.create_or_update(
        scope='/subscriptions/' + subscription_id,
        role_definition_name=role_name,
        role_definition={
            'Name': role_name,
            'IsCustom': False,
            'Description': 'Allows management of resource locks.',
            'Actions': [
                'Microsoft.Authorization/*/read',
                'Microsoft.Authorization/locks/*'
            ],
            'NotActions': [],
            'AssignableScopes': ['/subscriptions/' + subscription_id]
        }
    )
  1. Assign the role to the appropriate user or group:
principal_id = 'your-principal-id' # replace with the principal ID of the user or group you want to assign the role to

assignment_name = 'Resource Locking Administrator Assignment'
assignment_scope = '/subscriptions/' + subscription_id

assignment = resource_client.role_assignments.create(
    scope=assignment_scope,
    role_assignment_name=assignment_name,
    role_assignment_parameters={
        'role_definition_id': role_definition.id,
        'principal_id': principal_id
    }
)

By following these steps, you can remediate the “Resource Locking Administrator Role” misconfiguration in Azure using Python.