Description:
The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.
Rationale:
There could be scenarios where users accidentally run delete commands on Azure Storage blobs or blob snapshots or attacker/malicious user does it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss / non-accessible data. There is a property of Azure Storage blob service to make recoverable blobs.
Soft Delete
Enabling this configuration for azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects remain recoverable for a particular time which set in the "Retention policies" [Retention policies can be 7 days to 365 days].
Default Value:
When a new storage account is created, soft delete is by default disabled.
Audit:
Go to Storage Account
For each Storage Account, navigate to Data protection
Ensure that soft delete is enabled
Using Azure Command-Line Interface 2.0:
Ensure that the output of the below command contains enabled status as true and days is not empty or null
az storage blob service-properties delete-policy show --account-name
<StorageAccountName>
Remediation:
Pre-Requisites:
Azure Account
At least one storage account in Azure
Implementation Steps:
Go to Storage Account
For each Storage Account, navigate to Data Protection
Select set soft delete enabled and enter a number of days you want to retain soft deleted data.
Backout Plan:
Go to Storage Account
For each Storage Account, navigate to Data protection
Ensure that for a new storage account soft delete is disabled(how we can revoke the changes)
Using Azure Command-Line Interface 2.0:
Update retention days in below command
az storage blob service-properties delete-policy update --days-retained
<RetentionDaysValue> --account-name <StorageAccountName> --enable true