Control: Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure that a custom role is assigned permissions for administering resource locks
Configures auditing against a CIS Benchmark item.
Level: 2
Resource locking is a powerful protection mechanism that can prevent inadvertent modification or deletion of resources within Azure subscriptions and resource groups, and it is a recommended NIST configuration.
Given that the resource lock functionality is outside of standard Role-Based Access Control (RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks
- Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks > Attestation
- Azure > CIS v4.0 > Maximum Attestation Duration
- Azure > CIS v4.0
- Azure > CIS v4.0 > 06 - Identity Services
- Azure > CIS v4.0 > 06 - Identity Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv4-0#/control/types/r0624
- tmod:@turbot/cis#/control/categories/v071406
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r0624"
Get Controls
Control Type URI
Category URI
GraphQL
CLI