Policy: Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.
From Azure Portal 1. Navigate to the specific Azure Resource or Resource Group 2. For each mission critical resource, click on Locks 3. Click Add 4. Give the lock a name and a description, then select the type, Read-only or Delete as appropriate 5. Click OK
From Azure CLI To lock a resource, provide the name of the resource, its resource type, and its resource group name.az lock create --name <LockName> --lock-type <CanNotDelete/Read-only> --resource-group <resourceGroupName> --resource-name <resourceName> --resource-type <resourceType>
From PowershellGet-AzResourceLock -ResourceName <Resource Name> -ResourceType <ResourceType> -ResourceGroupName <Resource Group Name> -Locktype <CanNotDelete/Read-only>
Note that the date can not be further in the future than is specified in report level Maximum Attestation Duration policy. Set to a blank value to clear the attestation.
Resource Types
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
- Azure > CIS v2.0
- Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
- Azure > CIS v2.0 > 10 - Miscellaneous
Policy Specification
Schema Type | |
|---|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/v071406
- tmod:@turbot/azure-cisv2-0#/policy/types/r1001Attestation
- turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/r1001Attestation"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/r1001Attestation"
Get Policy TypeGet Policy Settings