Control: 3.8 Ensure soft delete is enabled for Azure Storage
Description
The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
There could be scenarios where users accidentally run delete commands on Azure Storage blobs or blob snapshot or attacker/malicious user does it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss / non-accessible data. There is a property of Azure Storage blob service to make recoverable blobs.
Soft Delete
Enabling this configuration for azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects remain recoverable for a particular time which set in the "Retention policies"
[Retention policies can be 7 days to 365 days].
Remediation
From Console
- Login to Azure Storage Accounts
- For each Storage Account, navigate to
Data ProtectionunderData managementsection - Select
set soft delete enabledand enter a number of days you want to retain soft deleted data.
From Command Line
Update retention days in below command
az storage blob service-properties delete-policy update --days-retained <RetentionDaysValue> --account-name <StorageAccountName> --enable trueUsage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_3_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_3_8 --shareSQL
This control uses a named query:
storage_account_soft_delete_enabled