azureazure-policyazure-rbacazure-resource-lock

Azure - prevent Subscription Owner from modifying specific Resource Group?


I'm exploring options for securing some Azure resources within a subscription from tampering, even by subscription owners.

The intent is to standardize our subscriptions which are used by other teams for their engineering. We've considered giving teams custom RBAC roles similar to Owner and Contributor, but slightly reduced--however we've found this approach to be high friction and not to cover 100% of our scenarios. In some cases excluding a permission is fine--in others we need to grant them those permissions but restrict them from being used on our resources.

Our preferred design is to create a resource group of a known-name in each standardized subscription, place the resources users aren't allowed to modify or delete in the group, and explore options to prevent subscription owners from tampering with that RG or its resources.

So far we've explored most options we're aware of:

Other options begin to get "sloppy". They leave gaps, or create significant complexity. Such as...


Solution

  • After communicating with our Azure contacts this is a known limitation. Presently there is no way to retract permissions once granted. I.e. if you grant a user the ability manage resource groups you can not deny them those permissions to a specific instance.

    There are some half-baked abilities in Azure Blueprint, which can deploy a Resource Group with an RBAC Deny Assignment (only available via Blueprints). When assigning the Blueprint the "lock" is actually an RBAC Deny -- not a Resource Lock (confusing?).

    However they explicitly block that permission from being inherited. So while the resource group itself is "ReadOnly" nothing within it is. Using ARM templates deployed via Blueprints may support this -- but in our case that would involve rewriting months of work.

    Hopefully Microsoft will add Deny Assignments directly to RBAC. They have the API and ability but are keeping it hidden/locked at the moment.