Ensure that Resource Locks are set for Mission-Critical Azure Resources

Resource Manager Locks allow administrators to lock down Azure resources and prevent deletion or changing of resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively. It is recommended to have locks enabled to prevent accidental or malicious change or deletion.

Risk Level: Low
Cloud Entity: Azure Resource Group
CloudGuard Rule ID: D9.AZU.NET.20
Covered by Spectral: Yes
Category: Management Tools


ResourceGroup should have locks


Azure Console

  1. Navigate to the 'Resource groups'
  2. For each resource group you want to lock, Select 'Locks' and click 'Add'
  3. Specify the lock name and level and save your changes

Azure Resource Group

Each resource in Azure must belong to a resource group. A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. For example, resources that share a similar lifecycle, such as the resources for an n-tier application may be created or deleted as a group.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset