Control: Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
Configures auditing against a CIS Benchmark item.
Level: 1
Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions.
This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.
Applying a Delete lock on storage accounts protects the availability of data by preventing the accidental or unauthorized deletion of the entire storage account. It is a fundamental protective control that can prevent data loss.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied
- Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied > Attestation
- Azure > CIS v4.0 > Maximum Attestation Duration
- Azure > CIS v4.0
- Azure > CIS v4.0 > 10 - Storage Services
- Azure > CIS v4.0 > 10 - Storage Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv4-0#/control/types/r100310
- tmod:@turbot/cis#/control/categories/v0710
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r100310"
Get Controls