Control: Blob versioning should be enabled for storage accounts

Description

Ensure that blob versioning is enabled to allow automatic retention of previous versions of objects, which helps recover data in case of accidental deletion or overwrite.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_blob_versioning_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_blob_versioning_enabled --share

SQL

This control uses a named query:

with storage_accounts as materialized (
  select 
    name as storage_account_name,
    id,
    resource_group
  from 
    azure_storage_account
),
blob_services as materialized (
  select 
    storage_account_name,
    is_versioning_enabled,
    resource_group
  from 
    azure_storage_blob_service
)
select 
  sa.id as resource,
  case
    when bs.is_versioning_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when bs.is_versioning_enabled then sa.storage_account_name || ' has blob versioning enabled.'
    else sa.storage_account_name || ' has blob versioning disabled.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from 
  storage_accounts sa
  left join blob_services bs on sa.storage_account_name = bs.storage_account_name
  left join azure_subscription sub on sub.subscription_id = (split_part(sa.id, '/', 3))
order by
  sa.storage_account_name;

Control: Blob versioning should be enabled for storage accounts

Description

Usage

SQL

Tags