Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 9.2.2 Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled

Description

Containers in Azure storage accounts may contain sensitive or personal data, such as ePHI or financial information. Data that is erroneously modified or deleted by an application or a user can lead to data loss or unavailability.

It is recommended that soft delete for containers be enabled on Azure storage accounts with blob storage to allow for the preservation and recovery of data when containers are deleted.

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. For each Storage Account with blob storage, under Data management, go to Data protection.
  3. Check the box next to Enable soft delete for containers.
  4. Set the retention period to a sufficient length for your organization.
  5. Click Save.

Remediate from Azure CLI

Run the following command to update container retention:

az storage account blob-service-properties update --resource-group <resourcegroup> --account-name <storage-account> --enable-container-delete-retention true --container-delete-retention-days <retention-days>

Default Value

Soft delete for containers is enabled by default on storage accounts created via the Azure Portal, and disabled by default on storage accounts created via Azure CLI or PowerShell.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_9_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_9_2_2 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when
      blob_container_soft_delete_enabled
      and blob_container_soft_delete_retention_days between 7 and 365 then 'ok'
    else 'alarm'
  end as status,
  case
    when
      blob_container_soft_delete_enabled
      and blob_container_soft_delete_retention_days between 7 and 365 then
      sa.name || ' container soft delete is enabled with retention days: ' || blob_container_soft_delete_retention_days || '.'
    when
      (not blob_container_soft_delete_enabled or blob_container_soft_delete_enabled is null) then
      sa.name || ' container soft delete is disabled.'
    when
      blob_container_soft_delete_retention_days < 7 or blob_container_soft_delete_retention_days > 365 then
      sa.name || ' container soft delete retention days (' || blob_container_soft_delete_retention_days::text || ') is not between 7 and 365 days.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa
  left join azure_subscription sub on sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 9.2.2
cis_level = 1
cis_section_id = 9.2
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/Storage