Description
The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.
It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Rationaleβ
Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies," ranging from 1 day to 365 days.
Impactβ
Additional storage costs may be incurred as snapshots are retained.
Auditβ
From Azure Portalβ
- Go to
Storage Accounts. - For each Storage Account, under
Data management, go toData protection. - Ensure that
Enable soft delete for blobsis checked. - Ensure that
Enable soft delete for containersis checked. - Ensure that the retention period for both is a sufficient length for your organization.
From Azure CLIβ
Blob Storage: Ensure that the output of the below command contains enabled status as true and days is not empty or null:
az storage blob service-properties delete-policy show --account-name <StorageAccountName> --account-key <accountkey>
Azure Containers: Make certain that the --enable-container-delete-retention is true:
az storage account blob-service-properties show --account-name <StorageAccountName> --resource-group <resourceGroup>
Default Valueβ
Soft delete for containers and blob storage is enabled by default on storage accounts created via the Azure Portal, and disabled by default on storage accounts created via Azure CLI or PowerShell.