Tips and Tricks: Secure Azure Objects

Table of Contents

  1. Purpose of document
  2. High level Overview of objects in Azure
  3. What is Lock
  4. Types of Lock:
  5. Read-Only Lock
    5.1. Add a “Read-Only” Lock
  6. Delete Lock
    6.1. Add a “Delete” Lock
  7. Effective Lock
  8. End of Document

Tips and Tricks: Secure Azure Object from accidental modification or deletion

1. Purpose of document

Purpose of this document is to protect Azure Object from modification or deletion applying Lock.

2. High level Overview of objects in Azure

Top object is Subscription which is associated with Tenant/ Directory. Tenant and Subscription will be explaining soon in different post.

As of now you can consider Subscription is top level object, which contains Resources group.

Resource group contains leaf objects (Like Storage Account, Virtual Network, Disk, Virtual Machine etc.)

3. What is Lock

In azure to protect objects, “Lock” is introduced. Lock can be applied at three levels in Azure. Below are the levels.

  1. Subscription Level
  2. Resource group
  3. On individual object

4. Types of Lock:

  1. Read-Only Lock
  2. Delete Lock

5. Read-Only Lock

This is a kind of check, like before performing any modification ensure doing right thing. Read-Only Lock means this object is in Read only mode.

Once you apply Read-Only Lock on any object, it means object is protected as Read-Only. No one can modify or delete the object. Even admin or the person who applied lock can’t modify or delete the Object.

To modify object (Where Lock is applied).

  • User should have sufficient rights to modify lock.
  • Should change the lock type from “Read-only” to “Delete” or delete the lock itself.

5.1. Add a “Read-Only” Lock

Now object is locked for everyone. Even for admin.

  • Let’s try to modify the Object and Save

Message

  • Now let’s try to delete it.

6. Delete Lock

This is a kind of check, like before deleting ensures you are deleting correct object. Delete object is to protect object form deletion.

Once you apply “Delete” Lock on any object. No one can delete the object. Even admin or the person who applied lock can’t delete the Object.

To delete object (Where Lock is applied).

  • To delete the object first “Delete” Lock should be deleted.
  • User should have sufficient rights to delete the lock itself.

6.1. Add a “Delete” Lock

Change the above Lock type from “Read-Only” to “Delete” Section 5.1. Now you can modify the Object but can’t delete the Object, until you delete the Lock itself. Even admin cannot delete the object till Lock is applied.

  • Now you can modify the object.
  • Now let’s try to delete it.

If you want to remove the object, remove the Lock itself. This is like protect object from accidental deletion in AD.

7. Effective Lock

Most restricted Lock will be applied.

Scenario A

Logical Diagram

Permission on Subscription “Pay-As-You-Go”

Permission on object “NSIT-VNET-01”

  • Admin applied “Read-Only” Lock on Resource Group “NSIT-RG01” where object NSIT-VNET-01 resides.

Conclusion

  • Even “User1” have owner access on object “NSIT-VNET-01”, however “user1” can’t modify or delete the object. Since restricted Lock flow down (inherit) from top object Resource Group “NSIT-RG01”.
  • “User1” can’t modify Lock, since lock applied at top level object where “User1” does not have access.

8. End of Document

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *