Control: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Configures auditing against a CIS Benchmark item.

Level: 2

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.

Resource Types

This control targets the following resource types:

Azure > IAM > Role Definition

Primary Policies

The following policies can be used to configure this control:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv2-0#/control/types/r0124

Category URI

tmod:@turbot/cis#/control/categories/v071406

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv2-0#/control/types/r0124") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv2-0#/control/types/r0124'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv2-0#/control/types/r0124"