Control: 10.1.1 Ensure soft delete for Azure File Shares is Enabled
Description
Azure Files offers soft delete for file shares, allowing you to easily recover your data when it is mistakenly deleted by an application or another storage account user.
Important data could be accidentally deleted or removed by a malicious actor. With soft delete enabled, the data is retained for the defined retention period before permanent deletion, allowing for recovery of the data.
Remediation
From Azure Portal
- Go to
Storage Accounts. - For each storage account with file shares, under
Data storage, clickFile shares. - Under
File share settings, click the value next toSoft delete. - Under
Soft delete for all file shares, click the toggle to set it toEnabled. - Under
Retention policies, set an appropriate number of days to retain soft deleted data between 1 and 365, inclusive. - Click
Save.
From Azure CLI
For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:
az storage account file-service-properties update --account-name <storage-account> --enable-delete-retention true --delete-retention-days <retention-days>
From PowerShell
For each storage account requiring remediation, run the following command to enable soft delete for file shares and set an appropriate number of days for deleted data to be retained, between 1 and 365, inclusive:
Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -AccountName <storage-account> -EnableShareDeleteRetentionPolicy $true -ShareRetentionDays <retention-days>
Default Value
Soft delete is enabled by default at the storage account file share setting level.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_10_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_10_1_1 --shareSQL
This control uses a named query:
select sa.id as resource, case when file_soft_delete_enabled and file_soft_delete_retention_days between 1 and 365 then 'ok' else 'alarm' end as status, case when not file_soft_delete_enabled then name || ' file share soft delete disabled.' when file_soft_delete_retention_days < 1 or file_soft_delete_retention_days > 365 then name || ' file share soft delete retention days (' || file_soft_delete_retention_days || ') not between 1 and 365.' else name || ' file share soft delete enabled with ' || file_soft_delete_retention_days || ' days retention.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;