π Azure Storage Account Blob Service Versioning is not enabled π’
- Contextual name: π Blob Service Versioning is not enabled π’
- ID:
/ce/ca/azure/storage/blob-versioning - Located in: π Azure Storage
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
RELIABILITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Enabling blob versioning allows for the automatic retention of previous versions of objects. With blob versioning enabled, earlier versions of a blob are accessible for data recovery in the event of modifications or deletions.
Rationaleβ
Blob versioning safeguards data integrity and enables recovery by retaining previous versions of stored objects, facilitating quick restoration from accidental deletion, modification, or malicious activity.
Impactβ
Enabling blob versioning for a storage account creates a new version with each write operation to a blob, which can increase storage costs. To control these costs, a lifecycle management policy can be applied to automatically delete older versions.
Auditβ
This policy flags an Azure Storage Account as
INCOMPLIANTifBlob Versioningis set to Disabled.Default Valueβ
Blob versioning is disabled by default on storage accounts.
Referencesβ
- https://learn.microsoft.com/en-us/cli/azure/storage/account
- https://learn.microsoft.com/en-us/cli/azure/storage/account/blob-service-properties
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Storage accounts.- Click the name of a storage account with blob storage.
- In the
Overviewpage, on thePropertiestab, underBlob service, clickDisablednext toVersioning.- Under
Tracking, check the box next toEnable versioning for blobs.- Select the radio button next to
Keep all versions or Delete versions after (in days).- If selecting to delete versions, enter a number of in the box after which to delete blob versions.
- Click
Save.- Repeat steps 1-7 for each storage account with blob storage.
From Azure CLIβ
For each storage account requiring remediation, run the following command to enable blob versioning:
az storage account blob-service-properties update --account-name <storage-account> --enable-versioning trueFrom PowerShellβ
For each storage account requiring remediation, run the following command to enable blob versioning:
Update-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -IsVersioningEnabled $true
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 10.2.2 Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 15 |