🛡️ Azure Storage File Shares Soft Delete is not enabled🟢

• Contextual name: 🛡️ File Shares Soft Delete is not enabled🟢
• ID: /ce/ca/azure/storage/soft-delete-for-azure-file-shares
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage File
  • 🔌 Azure Storage File - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Azure Files offers soft delete for file shares, allowing you to easily recover your data when it is mistakenly deleted by an application or another storage account user.

Rationale

Important data could be accidentally deleted or removed by a malicious actor. With soft delete enabled, the data is retained for the defined retention period before permanent deletion, allowing for recovery of the data.

Impact

When a file share is soft-deleted, the used portion of the storage is charged for the indicated soft-deleted period. All other meters are not charged unless the share is restored.

Audit

This policy flags an Azure Storage File as INCOMPLIANT if Share Delete Retention Policy Status is either empty or Disabled, or if Share Delete Retention Policy Days is empty.

Default Value

Soft delete is enabled by default at the storage account file share setting level.

References

1. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-enable-soft-delete
2. https://learn.microsoft.com/en-us/cli/azure/storage/account/file-service-properties

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage accounts.
2. For each storage account with file shares, under Data storage, click File shares.
3. Under File share settings, click the value next to Soft delete.
4. Under Soft delete for all file shares, click the toggle to set it to Enabled.
5. Under Retention policies, set an appropriate number of days to retain soft deleted data between 1 and 365, inclusive.
6. Click Save.

From Azure CLI

For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:

az storage account file-service-properties update --account-name <storage-account> --enable-delete-retention true --delete-retention-days <retention-days>

From PowerShell

For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 10.1.1 Ensure soft delete for Azure File Shares is Enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			16		no data