🛡️ Azure Storage Blob Containers Soft Delete is not enabled🟢

• Contextual name: 🛡️ Blob Containers Soft Delete is not enabled🟢
• ID: /ce/ca/azure/storage/blob-containers-soft-delete
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY, SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Storage Account - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Soft Delete for Azure Blob Storage
• Internal: dec-x-a8281d05

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a8281d05	1

Description

Open File

Description

Azure Storage blobs can contain data such as ePHI or financial records, which can be sensitive or personal. Data that is modified or deleted in error by an application or other storage account user can cause data loss or unavailability.

It is recommended that containers in Blob Storage be made recoverable by enabling the soft delete configuration. This saves and recovers data when blobs or blob snapshots are deleted.

Rationale

Containers and Blob Storage data can be deleted incorrectly. An attacker or malicious user may do this deliberately to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure Storage ensures that even if blobs or data are deleted from the storage account, those objects are recoverable for a defined period set in the "Retention policies," ranging from 1 day to 365 days.

Impact

Additional storage costs may be incurred as snapshots are retained.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if either the Blob Retention Policy State or the Container Retention Policy State is not set to Enabled, or if the corresponding Retention Policy Days values are empty.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage Accounts.
2. For each Storage Account, under Data management, go to Data protection.
3. Check the box next to Enable soft delete for blobs.
4. Check the box next to Enable soft delete for containers.
5. Set the retention period for both to a sufficient length for your organization.
6. Click Save.

From Azure CLI

Update blob storage retention days in the following command:

az storage blob service-properties delete-policy update \
    --days-retained {{retention-days}} \
    --account-name {{storage-account-name}} \
    --account-key {{storage-account-key}} \
    --enable true

Update container retention with the following command:

az storage account blob-service-properties update \
    --enable-container-delete-retention true \
    --container-delete-retention-days {{retention-days}} \
    --account-name {{storage-account-name}} \
    --resource-group {{resource-group-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;		6	7		no data
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;		4	4		no data
💼 CIS Azure v1.3.0 → 💼 3.8 Ensure soft delete is enabled for Azure Storage - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 3.8 Ensure Soft Delete is Enabled for Azure Storage - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)			1		no data
💼 CIS Azure v5.0.0 → 💼 9.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated)			1		no data
💼 CIS Azure v5.0.0 → 💼 9.2.2 Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			23		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	14		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		14		no data
💼 ISO/IEC 27001:2013 → 💼 A.17.1.2 Implementing information security continuity		3	3		no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup		1	2		no data
💼 NIST CSF v1.1 → 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established			3		no data
💼 NIST CSF v1.1 → 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)		3	3		no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		4	8		no data
💼 NIST CSF v1.1 → 💼 PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed		3	3		no data
💼 NIST CSF v1.1 → 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations		3	3		no data
💼 NIST CSF v2.0 → 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated			3		no data
💼 NIST CSF v2.0 → 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated			3		no data
💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved			3		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			15		no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations			21		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24		no data