How to avoid unknown or accidental deletion of your Azure resources by other users.
Few days back I have seen an incident where a user has reported that he lost some important data since the azure storage account is being deleted. While checking on this I have found the resource group in which the storage account was there has been deleted by one of the development team member since they have completed a project and no longer needed that resource group. Since this storage account was part of the resource group and shared by other team member who was using it for a different application and it has not been locked down so this unfortunate incident has happened.
For this issue there is no resolution available, once the storage account is deleted there is no way we can recover it because the deletion of a storage account is an irreversible action in Azure. So it is always advisable that we should protect the azure resources from accidental or unknown deletion by applying lock into them.
We can apply locks in the following levels in Azure.
- Subscription Level.
- Resource Group Level.
- Resource Level.
We can setup two types of lock level in Azure, it can be CanNotDelete or ReadOnly.
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
The lock which is applied to any level will apply to all the resources within that level. For example if you apply a lock in subscription level than all the child resources in that subscription will have the lock.
Who can apply the locks?
Among the built in roles in Azure the Owner and the User Administrator can apply the lock to any of the above levels.
Now I will show how I can setup a lock in an Azure storage account and prevent it from the accidental deletion.
As you can see below that I have a storage account called aaviazurediag1 which is being used as the shared storage account.
To apply the read lock in this storage account, I’ll open this storage account and go the settings tab and click on locks
The next step is to create the lock
Now let’s test this lock. I have another user who has the contributor access to this subscription which is top level scope. Now since I have set this lock please see what the user have seen when she tried to delete this storage account.
This is the message which she has received while trying to delete this account.
So as you have seen it’s always a best practice to apply the locks on your azure resources to avoid accidental deletion. Now the question is why we need this resource lock if we can protect our resources by setting up the RBAC (Role based access control) in Azure. To answer this question we should know that in every organizations there are owners and contributors who can still delete a resource. And there you need the lock where it will prevent the accidental deletion. Going forward day by day your azure subscriptions will have more and more resources where the chance of this kind of mistake can be a common issue. If a mistake happens and a valuable resource is deleted it’s the Azure Administrators who will be at risk and need to prepare the RCA, which management will never like. By adding resource locks we can eliminate those bitter moments in Azure Administration and make our life happy.
Photo Credit: Royalty Free Photos from PEXELES