Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability.It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.37
Covered by Spectral: No
Category: Storage


StorageAccount should have blobServiceProperties.deleteRetentionPolicy.enabled=true


From Portal

  1. Go to Storage Account
  2. For each Storage Account, navigate to Data Protection
  3. Select set soft delete enabled and enter a number of days you want to retain soft deleted data.

From TF
Set the number of days under delete_retention_policy as below:

resource "azurerm_storage_account" "example" {

From Command Line

az storage blob service-properties delete-policy update --days-retained RETENTIONDAYS --account-name ACCOUNTNAME --account-key ACCOUNTKEY --enable true


  1. https://docs.microsoft.com/en-gb/azure/storage/blobs/soft-delete-blob-overview
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties
  3. https://docs.microsoft.com/en-us/cli/azure/storage/blob/service-properties?view=azure-cli-latest#az-storage-blob-service-properties-update

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • CloudGuard Azure All Rules Ruleset