Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs
Blob soft delete protects your data from being accidentally or erroneously modified or deleted. When blob soft delete is enabled for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.TF.AZU.CRY.02
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
azurerm_storage_account should not have blob_properties.delete_retention_policy.days isEmpty()
REMEDIATION
From TF
Set the 'soft_delete_enabled' and purge_protection_enabled argument to true and soft_delete_retention_days as below:
resource "azurerm_storage_account" "example" {
..
blob_properties{
..
delete_retention_policy
{
days= "NUMBEROFDAYS"
}
..
}
..
}
References:
- https://docs.microsoft.com/en-gb/azure/storage/blobs/soft-delete-blob-overview
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure Terraform Ruleset
Updated over 1 year ago