Prevent accidental removal
Role Based Access Control
Azure services offer real fine-grained access control configuration. You should take advantage of it, in order to govern access to your Azure environment. Resources in your production environment should only be deployed by automated processes (e.g. VSTS). Assign the least required privileges to the developers, operators and administrators within your subscription. Read only access in production should be a default setting. In case of incidents, you can always temporary elevate permissions if needed. Read here more about this subject.
Naming Conventions
It’s a good practice to include the environment within the name of your Azure resources. Via this simple naming convention, you create awareness on what environment one is working. Combined with this naming convention, it’s also advised to have a different subscription for prod and non-prod resources.
Resource Locks
An additional measure you can take, is applying resource locks on important resources. A resource lock can set two different lock levels:
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
These locks can only be created or removed by a Resource Owner or a User Access Administrator. This prevents that e.g. Contributors delete the resource by accident.
Locks can be deployed through PowerShell, Azure CLI, REST API and ARM templates. This is an example of how to deploy a lock through an ARM template:
Be aware that locks can also be configured on subscription and resource group level. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent.
Conclusion
The Microsoft Azure platform gives you all the access control tools you need, but it’s your (or your service provider’s) responsibility to use them the right way. One should be very cautious when giving / getting full control on a production environment, because we’re all human and we all make mistakes.
Subscribe to our RSS feed