🛡️ Azure Storage Blob Soft Delete is not enabled🟢

• Contextual name: 🛡️ Blob Soft Delete is not enabled🟢
• ID: /ce/ca/azure/storage/blob-soft-delete
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY, SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Storage Account - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Soft Delete for Azure Blob Storage
• Internal: dec-x-a8281d05

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a8281d05	2

Description

Open File

Description

Azure Storage blobs can contain data such as ePHI or financial records, which can be sensitive or personal. Data that is modified or deleted in error by an application or other storage account user can cause data loss or unavailability.

It is recommended that Azure Storage blobs be made recoverable by enabling the soft delete for blobs configuration. This saves and recovers data when blobs or blob snapshots are deleted.

Rationale

Blobs can be deleted incorrectly. An attacker or malicious user may do this deliberately to cause disruption. Deleting a blob causes immediate data loss. Enabling this configuration for Azure Storage ensures that deleted blobs and blob snapshots are recoverable for a defined retention period.

Impact

Additional storage costs may be incurred as deleted blobs and snapshots are retained.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if the Blob Retention Policy State is not set to Enabled, or if Blob Retention Policy Days is empty.

Default Value

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage Accounts.
2. For each Storage Account, under Data management, go to Data protection.
3. Check the box next to Enable soft delete for blobs.
4. Set the retention period to a sufficient length for your organization.
5. Click Save.

From Azure CLI

Update blob retention with the following command:

az storage account blob-service-properties update \
    --enable-delete-retention true \
    --delete-retention-days {{retention-days}} \
    --account-name {{storage-account-name}} \
    --resource-group {{resource-group-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;		6	7		no data
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;		4	5		no data
💼 CIS Azure v4.0.0 → 💼 10.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated)			1		no data
💼 CIS Azure v5.0.0 → 💼 9.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated)			1		no data
💼 CIS Azure v6.0.0 → 💼 9.2.1 Ensure That Soft Delete for Blobs on Azure Blob Storage Storage Accounts is Enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			25		no data
💼 Cloudaware Framework → 💼 System Configuration			61		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	16		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			14		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		16		no data
💼 ISO/IEC 27001:2013 → 💼 A.17.1.2 Implementing information security continuity		3	4		no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup		1	3		no data
💼 NIST CSF v1.1 → 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established			4		no data
💼 NIST CSF v1.1 → 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)		3	4		no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		5	10		no data
💼 NIST CSF v1.1 → 💼 PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed		4	5		no data
💼 NIST CSF v1.1 → 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations		3	4		no data
💼 NIST CSF v2.0 → 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated			4		no data
💼 NIST CSF v2.0 → 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated			4		no data
💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved			5		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			18		no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations			22		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	25		no data