Authentication

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Platform(s)
Compliance Frameworks

Azure CIS, Brazilian General Data Protection (LGPD), CCM-CSA, CCPA, cis_8, CPRA, Data Security Posture Management (DSPM) Best Practices, essential_8_au, GDPR, HITRUST, iso_27001_2022, iso_27002_2022, Microsoft Cloud Security Benchmark, Mitre ATT&CK, New Zealand Information Security Manual, NIST 800-171, NIST 800-53, PDPA, pipeda, UK Cyber Essentials

Description

There is no custom role to administer resource locks. Azure resource locks allow you to protect sensitive resources from accidental changes or deletion. A tightly scoped resource lock administrator role has only the permissions required to manage resource locking and nothing more. In the absence of such a role, users may need to assume the ""Contributor"" or ""Owner"" roles to administer locks, which violates the principle of least privilege.