Control: 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Description
The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.
It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies," ranging from 7 days to 365 days.
Remediation
From Azure Portal
- Go to
Storage Accounts. - For each Storage Account, under
Data management, go toData protection. - Check the box next to
Enable soft delete for blobs. - Check the box next to
Enable soft delete for containers. - Set the retention period for both to a sufficient length for your organization.
- Click
Save.
From Azure CLI
Update blob storage retention days in below command
az storage blob service-properties delete-policy update --days-retained <RetentionDaysValue> --account-name <StorageAccountName> --account-key <AccountKey> --enable true
Update container retention with the below command
az storage account blob-service-properties update--enable-container-delete-retention true--container-delete-retention-days <days>--account-name <storageAccount>--resource-group <resourceGroup>
Default Value
Soft delete for containers and blob storage is enabled by default on storage accounts created via the Azure Portal, and disabled by default on storage accounts created via Azure CLI or PowerShell.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_10_3_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_10_3_6 --shareSQL
This control uses a named query:
select sa.id as resource, case when blob_soft_delete_enabled and blob_container_soft_delete_enabled and blob_soft_delete_retention_days between 7 and 365 and blob_container_soft_delete_retention_days between 7 and 365 then 'ok' else 'alarm' end as status, case when blob_soft_delete_enabled and blob_container_soft_delete_enabled and blob_soft_delete_retention_days between 7 and 365 and blob_container_soft_delete_retention_days between 7 and 365 then sa.name || ' soft delete is enabled for azure containers and blob storage with retention days: blob=' || blob_soft_delete_retention_days || ', container=' || blob_container_soft_delete_retention_days || '.' when (not blob_soft_delete_enabled or blob_soft_delete_enabled is null) and (not blob_container_soft_delete_enabled or blob_container_soft_delete_enabled is null) then sa.name || ' blob and azure container soft delete disabled.' when (not blob_soft_delete_enabled or blob_soft_delete_enabled is null) then sa.name || ' blob soft delete disabled.' when (not blob_container_soft_delete_enabled or blob_container_soft_delete_enabled is null) then sa.name || ' azure container soft delete disabled.' when blob_soft_delete_retention_days < 7 or blob_soft_delete_retention_days > 365 then sa.name || ' blob soft delete retention days (' || blob_soft_delete_retention_days::text || ') is not between 7 and 365 days.' when blob_container_soft_delete_retention_days < 7 or blob_container_soft_delete_retention_days > 365 then sa.name || ' azure container soft delete retention days (' || blob_container_soft_delete_retention_days::text || ') is not between 7 and 365 days.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;