🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1464Benchmarks
449Queries
2Variables
GitHub

Control: 10.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled

Description

Blobs in Azure storage accounts may contain sensitive or personal data, such as ePHI or financial information. Data that is erroneously modified or deleted by an application or a user can lead to data loss or unavailability.

It is recommended that soft delete be enabled on Azure storage accounts with blob storage to allow for the preservation and recovery of data when blobs or blob snapshots are deleted.

Blobs can be deleted incorrectly. An attacker or malicious user may do this deliberately in order to cause disruption. Deleting an Azure storage blob results in immediate data loss. Enabling this configuration for Azure storage accounts ensures that even if blobs are deleted from the storage account, the blobs are recoverable for a specific period of time, which is defined in the "Retention policies," ranging from 7 to 365 days.

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each Storage Account with blob storage, under Data management, go to Data protection.
  3. Check the box next to Enable soft delete for blobs.
  4. Set the retention period to a sufficient length for your organization.
  5. Click Save.

From Azure CLI

For each storage account requiring remediation, run the following command to enable soft delete for blobs:

az storage blob service-properties delete-policy update --days-retained <retention-days> --account-name <storage-account> --enable true

Default Value

Soft delete for blob storage is enabled by default on storage accounts created via the Azure Portal, and disabled by default on storage accounts created via Azure CLI or PowerShell.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_10_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_10_2_1 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when blob_soft_delete_enabled and blob_soft_delete_retention_days between 7 and 365 then 'ok'
    else 'alarm'
  end as status,
  case
    when not blob_soft_delete_enabled then name || ' blob soft delete disabled.'
    when blob_soft_delete_retention_days < 7 or blob_soft_delete_retention_days > 365 
      then name || ' blob soft delete retention days (' || blob_soft_delete_retention_days || ') not between 7 and 365.'
    else name || ' blob soft delete enabled with ' || blob_soft_delete_retention_days || ' days retention.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 10.2.1
cis_level = 1
cis_section_id = 10.2
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/Storage