Azure Azure Policy Configuration Security

Azure Policy – Audit and Deploy CanNotDelete Lock on Resource Group Based on Tags

image

If you move your workloads to production or even preproduction it is highly recommended to protect them not only against data loss but also from accidential deletion. One feature in Azure which can help are Resource Locks. Depending how you configure the lock, you cannot delete the resource, but still read and modify (CanNotDelete lock) or just lock the resource so, that everybody just can read the resource (ReadOnly lock). In my opinion to follow good governance, it is a feature everyone should use. Speaking about Azure governance – one thing that comes to mind is the Azure Policy service to enforce governance in Azure. Azure Policy can be used e.g. to audit which resource groups do not have a Resource Lock in place. A former fellow MVP Adin Ermie has written a great post on auditing resource groups if a Resource Lock has been configured or not based on tags. I think this is a nice way to check for compliance, but I was missing a remediation task. This task should remediate the non-compliant resource and therefore apply a Resource Lock on the resources.

I have uploaded the policy to my GitHub repository, where you find detailed instructions, how to provision the policy. Once you deployed the policy, you can immediately start the compliance and remediation process.

First I will deploy the policy from the repo, assign it to my subscription and configure the parameters, which will configure the tags to look for. Meaning, the policy checks only for resource groups, that have a tag name “env” and a value of “prod”…

image

…in the “Remediation” section, the policy will create a managed identity in the background and assigns the Owner permission on the subscription level. Owner permission is required to successfully apply the Resource Lock…

image

…finally review and create the assignment…

image

In the next step, I create two resource groups, one with no tags and one with the tag “env” and the value “prod”…

image

…after a while, you will see the non-compliant resource group popping up…

image

…under “Remediation tasks”, the evaluation process will start automatically and complete in the end…

image

…if we check the resource group we will see, that the Resource Lock has been applied…

image

…but only for the resource group with the appropriate tags.

You can easily start the remediation task manually if you already have resource groups in place which you need to re-evaluate.

Find the policy here and I hope this helps you securing your infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.