🛡️ Azure Storage Blob Containers Soft Delete is not enabled🟢

• Contextual name: 🛡️ Blob Containers Soft Delete is not enabled🟢
• ID: /ce/ca/azure/storage/blob-containers-soft-delete
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY, SECURITY

Stats

not available

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Storage Account - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Soft Delete for Azure Blob Storage
• Internal: dec-x-a8281d05

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a8281d05	2

Description

Open File

Description

Azure Storage containers can contain data such as ePHI or financial records, which can be sensitive or personal. Data that is modified or deleted in error by an application or other storage account user can cause data loss or unavailability.

It is recommended that Blob Storage containers be made recoverable by enabling the soft delete for containers configuration. This saves and recovers data when containers are deleted.

Rationale

Containers can be deleted incorrectly. An attacker or malicious user may do this deliberately to cause disruption. Deleting a container causes immediate data loss. Enabling this configuration for Azure Storage ensures that even if containers are deleted from the storage account, those containers are recoverable for a defined retention period.

Impact

Additional storage costs may be incurred as snapshots are retained.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if the Container Retention Policy State is not set to Enabled, or if Container Retention Policy Days is empty.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage Accounts.
2. For each Storage Account, under Data management, go to Data protection.
3. Check the box next to Enable soft delete for containers.
4. Set the retention period to a sufficient length for your organization.
5. Click Save.

From Azure CLI

Update container retention with the following command:

az storage account blob-service-properties update \
    --enable-container-delete-retention true \
    --container-delete-retention-days {{retention-days}} \
    --account-name {{storage-account-name}} \
    --resource-group {{resource-group-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;		6	7		no data
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;		4	5		no data
💼 CIS Azure v2.1.0 → 💼 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)			1		no data
💼 CIS Azure v3.0.0 → 💼 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)			1		no data
💼 CIS Azure v5.0.0 → 💼 9.2.2 Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled (Automated)			1		no data
💼 CIS Azure v6.0.0 → 💼 9.2.2 Ensure that Soft Delete for Containers on Azure Blob Storage Storage Accounts is Enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			26		no data
💼 Cloudaware Framework → 💼 System Configuration			61		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	16		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			14		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		16		no data
💼 ISO/IEC 27001:2013 → 💼 A.17.1.2 Implementing information security continuity		3	4		no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup		1	3		no data
💼 NIST CSF v1.1 → 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established			4		no data
💼 NIST CSF v1.1 → 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)		3	4		no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		5	10		no data
💼 NIST CSF v1.1 → 💼 PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed		4	5		no data
💼 NIST CSF v1.1 → 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations		3	4		no data
💼 NIST CSF v2.0 → 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated			4		no data
💼 NIST CSF v2.0 → 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated			4		no data
💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved			5		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			18		no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations			22		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	25		no data