Skip to main content

🛡️ Azure Storage Blob Containers Soft Delete is not enabled🟢

  • Contextual name: 🛡️ Blob Containers Soft Delete is not enabled🟢
  • ID: /ce/ca/azure/storage/blob-containers-soft-delete
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-a8281d051

Description

Open File

Description

The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.

It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

Rationale

Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies," ranging from 1 day to 365 days.

Impact

Additional storage costs may be incurred as snapshots are retained.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each Storage Account, under Data management, go to Data protection.
  3. Check the box next to Enable soft delete for blobs.
  4. Check the box next to Enable soft delete for containers.
  5. Set the retention period for both to a sufficient length for your organization.
  6. Click Save.

From Azure CLI

Update blob storage retention days in below command:

az storage blob service-properties delete-policy update --days-retained <RetentionDaysValue> --account-name <StorageAccountName> --account-key <AccountKey> --enable true

Update container retention with the below command:

az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days <days> --account-name <storageAccount> --resource-group <resourceGroup>

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;67no data
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44no data
💼 CIS Azure v1.3.0 → 💼 3.8 Ensure soft delete is enabled for Azure Storage - Level 1 (Automated)11no data
💼 CIS Azure v1.4.0 → 💼 3.8 Ensure Soft Delete is Enabled for Azure Storage - Level 1 (Automated)11no data
💼 CIS Azure v1.5.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11no data
💼 CIS Azure v2.0.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11no data
💼 CIS Azure v2.1.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11no data
💼 CIS Azure v3.0.0 → 💼 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 10.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)1no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery18no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)5410no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)9no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)210no data
💼 ISO/IEC 27001:2013 → 💼 A.17.1.2 Implementing information security continuity33no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup12no data
💼 NIST CSF v1.1 → 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established3no data
💼 NIST CSF v1.1 → 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)33no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested48no data
💼 NIST CSF v1.1 → 💼 PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed33no data
💼 NIST CSF v1.1 → 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations33no data
💼 NIST CSF v2.0 → 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated3no data
💼 NIST CSF v2.0 → 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated3no data
💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved3no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested12no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations15no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication1824no data