Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs

Blob soft delete protects your data from being accidentally or erroneously modified or deleted. When blob soft delete is enabled for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.TF.AZU.CRY.02
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

azurerm_storage_account should not have blob_properties.delete_retention_policy.days isEmpty()

REMEDIATION

From TF
Set the 'soft_delete_enabled' and purge_protection_enabled argument to true and soft_delete_retention_days as below:

resource "azurerm_storage_account" "example" {
	..
	blob_properties{
		..
		delete_retention_policy
		{
			days= "NUMBEROFDAYS"
		}
		..
	}
	..
}

References:

  1. https://docs.microsoft.com/en-gb/azure/storage/blobs/soft-delete-blob-overview
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure Terraform Ruleset