Control: Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
Configures auditing against a CIS Benchmark item.
Level: 2
Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete-type of resource manager lock.
This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations include List Keys which prevents clients from obtaining the account shared access keys.
Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers.
This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for Microsoft.Storage resources.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered
- Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered > Attestation
- Azure > CIS v4.0 > Maximum Attestation Duration
- Azure > CIS v4.0
- Azure > CIS v4.0 > 10 - Storage Services
- Azure > CIS v4.0 > 10 - Storage Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv4-0#/control/types/r100311
- tmod:@turbot/cis#/control/categories/v0710
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r100311"
Get Controls