I have a doubt about Azure Resource Blocks. By adding a read-only or non-delete lock to a resource, when you hit delete it can not be deleted. So my question is, that lock can be removed by an owner? Is it possible to make it impossible to remove the lock even for the owner?
CodePudding user response:
Who can create or delete locks
To create or delete management locks, you must have access to
Microsoft.Authorization/*
orMicrosoft.Authorization/locks/*
actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
Source: Lock resources to prevent unexpected changes - Who can create or delete locks.
In short: the answer is no.
Furthermore, owner
is the most privileged role in Azure, since it
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Source: Azure built-in roles - All.
If you're working according to the Principal of Least Privilege, you should limit the amount of owners of your Azure subscription.
The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.