Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability.It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.37
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should have blobServiceProperties.deleteRetentionPolicy.enabled=true
REMEDIATION
From Portal
- Go to Storage Account
- For each Storage Account, navigate to
Data Protection
- Select set soft delete enabled and enter a number of days you want to retain soft deleted data.
From TF
Set the number of days under delete_retention_policy as below:
resource "azurerm_storage_account" "example" {
..
blob_properties{
..
delete_retention_policy
{
days= "NUMBEROFDAYS"
}
..
}
..
}
From Command Line
Run
az storage blob service-properties delete-policy update --days-retained RETENTIONDAYS --account-name ACCOUNTNAME --account-key ACCOUNTKEY --enable true
References
- https://docs.microsoft.com/en-gb/azure/storage/blobs/soft-delete-blob-overview
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties
- https://docs.microsoft.com/en-us/cli/azure/storage/blob/service-properties?view=azure-cli-latest#az-storage-blob-service-properties-update
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago