Detections
Analytics

10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts

Information

Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete -type of resource manager lock.

This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane,

management.azure.com

. Blocked operations include listKeys which prevents clients from obtaining the account shared access keys.

Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers.

This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for

Microsoft.Storage

resources.

Applying a ReadOnly lock on storage accounts protects the confidentiality and availability of data by preventing the accidental or unauthorized deletion of the entire storage account and modification of the account, container properties, or access permissions. It can offer enhanced protection for blob and queue workloads with tradeoffs in usability and compatibility for clients using account shared access keys.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

 - Navigate to the storage account in the Azure portal.
 - Under the Settings section, select Locks
 - Select Add
 - Provide a Name, and choose ReadOnly for the type of lock.
 - Add a note about the lock if desired.

Remediate from Azure CLI

Replace the information within <> with appropriate values:

az lock create --name <lock> \\
 --resource-group <resource-group> \\
 --resource <storage-account> \\
 --lock-type ReadOnly \\
 --resource-type Microsoft.Storage/storageAccounts

Remediate from PowerShell

Replace the information within <> with appropriate values:

New-AzResourceLock -LockLevel ReadOnly `
 -LockName <lock> `
 -ResourceName <storage-account> `
 -ResourceType Microsoft.Storage/storageAccounts `
 -ResourceGroupName <resource-group>

Impact:

 - Prevents the deletion of the Storage account Resource entirely.
 - Prevents the deletion of the parent Resource Group containing the locked Storage account resource.
 - Prevents clients from obtaining the storage account shared access keys using a listKeys operation.
 - Requires Entra credentials to access blob and queue data in the Portal.
 - Data in Azure Files or the Table service may be inaccessible to clients using the account shared access keys.
 - Prevents modification of account properties, network settings, containers, and RBAC assignments.
 - Does not prevent access using existing account shared access keys issued to clients.
 - Does not prevent deletion of containers or other objects within the storage account.

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10)

Plugin: microsoft_azure

Control ID: 3192480cf550f5e22e919d19e559839748b765af97a80c8108aed6b59c93ebe1