🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1464Benchmarks
449Queries
2Variables
GitHub

Control: 10.2.2 Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts

Description

Enabling blob versioning allows for the automatic retention of previous versions of objects. With blob versioning enabled, earlier versions of a blob are accessible for data recovery in the event of modifications or deletions.

Blob versioning safeguards data integrity and enables recovery by retaining previous versions of stored objects, facilitating quick restoration from accidental deletion, modification, or malicious activity.

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. Click the name of a storage account with blob storage.
  3. In the Overview page, on the Properties tab, under Blob service, click Disabled next to Versioning.
  4. Under Tracking, check the box next to Enable versioning for blobs.
  5. Select the radio button next to Keep all versions or Delete versions after (in days).
  6. If selecting to delete versions, enter a number of in the box after which to delete blob versions.
  7. Click Save.
  8. Repeat steps 1-7 for each storage account with blob storage.

From Azure CLI

For each storage account requiring remediation, run the following command to enable blob versioning:

az storage account blob-service-properties update --account-name <storage-account> --enable-versioning true

From PowerShell

For each storage account requiring remediation, run the following command to enable blob versioning:

Update-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -IsVersioningEnabled $true

Default Value

Blob versioning is disabled by default on storage accounts.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_10_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_10_2_2 --share

SQL

This control uses a named query:

with storage_accounts as materialized (
  select 
    name as storage_account_name,
    id,
    resource_group
  from 
    azure_storage_account
),
blob_services as materialized (
  select 
    storage_account_name,
    is_versioning_enabled,
    resource_group
  from 
    azure_storage_blob_service
)
select 
  sa.id as resource,
  case
    when bs.is_versioning_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when bs.is_versioning_enabled then sa.storage_account_name || ' has blob versioning enabled.'
    else sa.storage_account_name || ' has blob versioning disabled.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from 
  storage_accounts sa
  left join blob_services bs on sa.storage_account_name = bs.storage_account_name
  left join azure_subscription sub on sub.subscription_id = (split_part(sa.id, '/', 3))
order by
  sa.storage_account_name;

Tags

category = Compliance
cis = true
cis_item_id = 10.2.2
cis_level = 2
cis_section_id = 10.2
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/Storage