standard
turbot/azure_cis
Get Involved
Version
Pipeline: 2.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Description
Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.
Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Remediation
From Azure Portal
- In the Azure portal, open a subscription or resource group where you want the custom role to be assigned.
- Select
Access control (IAM)
. - Click
Add
. - Select
Add custom role
. - In the
Custom role name
field enterResource Lock Administrator
. - In the Description field enter
Can Administer Resource Locks
. - For Baseline permissions select
Start from scratch
. - Select
Next
. - In the Permissions tab select
Add permissions
. - In the Search for a permission box, type in
Microsoft.Authorization/locks
to search for permissions. - Click on the result.
- Check the box next to
Permission
. - Select
Add
. - Select
Review + create
. - Select
Create
. - Assign the newly created role to the appropriate user.
From PowerShell:
Below is a power shell definition for a resource lock administrator role created at an Azure Management group level
Import-Module Az.AccountsConnect-AzAccount
$role = Get-AzRoleDefinition "User Access Administrator"$role.Id = $null$role.Name = "Resource Lock Administrator"$role.Description = "Can Administer Resource Locks"$role.Actions.Clear()$role.Actions.Add("Microsoft.Authorization/locks/*")$role.AssignableScopes.Clear()
* Scope at the Management group level Management group
$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/MG-Name")
New-AzRoleDefinition -Role $roleGet-AzureRmRoleDefinition "Resource Lock Administrator"
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_2_24
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_2_24 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v3.0.0/2 Identity