Get in touch with us!

Azure RM Locks

Your Azure datacenter is growing and more and more administrators is getting access to your resources. RBAC have been around for a while in ARM (Azure resource manager) but perhaps you need an extra level of security especially from human error.

On the 6th of may @AzurePortal tweeted about a new feature called Locks. I’m going to show you how easy it is to set it up and how you can create your own locks with PowerShell.

First install the Azure PowerShell tools and as always do not use anything else than WMF 5.*

#Login and select subscription
Login-AzureRmAccount
$SubscriptionId = Get-AzureRmSubscription | ogv -OutputMode Single
Select-AzureRmSubscription -SubscriptionId $SubscriptionId

After you successfully logged in and selected your subscription run the following code to select the resources you want to protect.

#Select resources
[object[]]$resources = Get-AzureRmResource | ogv -OutputMode Multiple

#Create lock for each resource
$resources.ForEach({
    #Create parameters hash table
    $Parameters=@{
        LockLevel = "CanNotDelete"
        LockName = "Demo Lock Name"
        ResourceName = $psitem.ResourceName
        ResourceType = $psitem.ResourceType
        ResourceGroupName = $psitem.ResourceGroupName
        Force = $true
    }
    #Create new lock
    New-AzureRmResourceLock @Parameters
})

In the screenshot blow I created a lock on a PaaS database and a underlying database, as you can see on the server it tells us that it have an child resource with a lock.

If we look at the child database we also see that we have an parent lock.

Child database

Creating locks on resources can be time consuming if not properly automated, so instead we can choose to create a lock on the parent resource group.

#Select resource groups
[object[]]$resourcesGroups = Get-AzureRmResourceGroup | ogv -OutputMode Multiple

#Create lock for each resource group
$resourcesGroups.ForEach({
    $Parameters=@{
        LockLevel = "CanNotDelete"
        LockName = "Demo RG Lock"
        ResourceGroupName = $psitem.ResourceGroupName
        Force = $true
    }
    #Create new lock for Resource Group
    New-AzureRmResourceLock @Parameters
})

It is also possible to set a lock on subscription level.

If a user accidentally tries to delete a resource in a locked group this error will occur.

Finally this is how you can remove a lock.

#Select locks to be deleted
[object[]]$removeLocks = Get-AzureRmResourceLock | ogv -OutputMode Multiple

#Remove each lock
$removeLocks.ForEach({
    Remove-AzureRmResourceLock -LockId $PSItem.LockId
})

Who can create or delete locks in your organization?

To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.

If you are familiar with RBAC you can create custom roles who have rights to delete resources but not locks. Another scenario can be a “Lock”-service user who only have access to add and remove locks.

Visit https://azure.microsoft.com/sv-se/documentation/articles/resource-group-lock-resources/ for more info.

Submit a Comment

Your email address will not be published. Required fields are marked *