Skip to main content

🛡️ Azure Storage Account Blob Service Versioning is not enabled🟢

Logic

Description

Open File

Description

Enabling blob versioning allows for the automatic retention of previous versions of objects. With blob versioning enabled, earlier versions of a blob are accessible for data recovery in the event of modifications or deletions.

Rationale

Blob versioning safeguards data integrity and enables recovery by retaining previous versions of stored objects, facilitating quick restoration from accidental deletion, modification, or malicious activity.

Impact

Enabling blob versioning for a storage account creates a new version with each write operation to a blob, which can increase storage costs. To control these costs, a lifecycle management policy can be applied to automatically delete older versions.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if Blob Versioning is set to Disabled.

Default Value

Blob versioning is disabled by default on storage accounts.

References

  1. https://learn.microsoft.com/en-us/cli/azure/storage/account
  2. https://learn.microsoft.com/en-us/cli/azure/storage/account/blob-service-properties

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. Click the name of a storage account with blob storage.
  3. In the Overview page, on the Properties tab, under Blob service, click Disabled next to Versioning.
  4. Under Tracking, check the box next to Enable versioning for blobs.
  5. Select the radio button next to Keep all versions or Delete versions after (in days).
  6. If selecting to delete versions, enter a number of in the box after which to delete blob versions.
  7. Click Save.
  8. Repeat steps 1-7 for each storage account with blob storage.

From Azure CLI

For each storage account requiring remediation, run the following command to enable blob versioning:

az storage account blob-service-properties update --account-name <storage-account> --enable-versioning true

From PowerShell

For each storage account requiring remediation, run the following command to enable blob versioning:

Update-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -IsVersioningEnabled $true

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v4.0.0 → 💼 10.2.2 Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts (Automated)1no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery16no data