π Azure Storage File Shares Soft Delete is not enabled π’
- Contextual name: π File Shares Soft Delete is not enabled π’
- ID:
/ce/ca/azure/storage/soft-delete-for-azure-file-shares - Located in: π Azure Storage
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
RELIABILITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Azure Files offers soft delete for file shares, allowing you to easily recover your data when it is mistakenly deleted by an application or another storage account user.
Rationaleβ
Important data could be accidentally deleted or removed by a malicious actor. With soft delete enabled, the data is retained for the defined retention period before permanent deletion, allowing for recovery of the data.
Impactβ
When a file share is soft-deleted, the used portion of the storage is charged for the indicated soft-deleted period. All other meters are not charged unless the share is restored.
Auditβ
This policy flags an Azure Storage File as
INCOMPLIANTifShare Delete Retention Policy Statusis either empty or Disabled, or ifShare Delete Retention Policy Daysis empty.Default Valueβ
Soft delete is enabled by default at the storage account file share setting level.
Referencesβ
- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-enable-soft-delete
- https://learn.microsoft.com/en-us/cli/azure/storage/account/file-service-properties
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Storage accounts.- For each storage account with file shares, under
Data storage, clickFile shares.- Under
File share settings, click the value next toSoft delete.- Under
Soft delete for all file shares, click the toggle to set it toEnabled.- Under
Retention policies, set an appropriate number of days to retain soft deleted data between 1 and 365, inclusive.- Click
Save.From Azure CLIβ
For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:
az storage account file-service-properties update --account-name <storage-account> --enable-delete-retention true --delete-retention-days <retention-days>From PowerShellβ
For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 10.1.1 Ensure soft delete for Azure File Shares is Enabled (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 15 |