Skip to main content

πŸ“ Azure Storage Blob Containers Soft Delete is not enabled 🟒

  • Contextual name: πŸ“ Blob Containers Soft Delete is not enabled 🟒
  • ID: /ce/ca/azure/storage/blob-containers-soft-delete
  • Located in: πŸ“ Azure Storage

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-a8281d051

Logic​

Description​

Open File

Description​

The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.

It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

Rationale​

Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies," ranging from 1 day to 365 days.

Impact​

Additional storage costs may be incurred as snapshots are retained.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Storage Accounts.
  2. For each Storage Account, under Data management, go to Data protection.
  3. Check the box next to Enable soft delete for blobs.
  4. Check the box next to Enable soft delete for containers.
  5. Set the retention period for both to a sufficient length for your organization.
  6. Click Save.

From Azure CLI​

Update blob storage retention days in below command:

az storage blob service-properties delete-policy update --days-retained <RetentionDaysValue> --account-name <StorageAccountName> --account-key <AccountKey> --enable true

Update container retention with the below command:

az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days <days> --account-name <storageAccount> --resource-group <resourceGroup>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 3.8 Ensure soft delete is enabled for Azure Storage - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 3.8 Ensure Soft Delete is Enabled for Azure Storage - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery10
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)556
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)26
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.17.1.2 Implementing information security continuity33
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.13 Information backup11
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.BE-4: Dependencies and critical functions for delivery of critical services are established4
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)44
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested55
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed33
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations44
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations5