Ensure Custom Role is Assigned Permissions for Administering Resource Locks
Why This Matters
Resource locks protect critical Azure resources from accidental deletion or modification. Without a dedicated role managing these locks, you risk granting excessive permissions like Owner or Contributor just to unlock resources, increasing your attack surface. A custom role for resource lock administration enforces least privilege and reduces the chance of unintentional damage.
What Aether365 Checks
Aether365 verifies that a custom role exists with permissions specifically for administering resource locks (Microsoft.Authorization/locks/*). This check appears in the Aether365 dashboard under your azure-subscription-security checks and flags any subscription or management group lacking this tailored role.
How to Fix
To create and assign a Resource Lock Administrator custom role: