Description:
Soft delete for Azure Blob Storage allows you to recover deleted blobs and containers within a retention period. When soft delete is enabled, deleted blobs and containers are retained in a "soft deleted" state for a specified duration before being permanently removed. This feature is crucial for protecting against accidental or malicious deletion of critical data, enabling data recovery, and enhancing compliance with data retention requirements.
Rationale:
Enabling Soft Delete for Azure Containers and Blob Storage provides an additional layer of data protection. It ensures that deleted blobs and containers can be restored within the retention period, preventing data loss due to human error or unforeseen circumstances. This is especially important for compliance with industry regulations such as GDPR, HIPAA, and SOC 2, which require data protection measures and retention policies to be in place.
Impact:
Enabling Soft Delete ensures that deleted blobs or containers are retained for a configurable period (usually 7 to 365 days), which increases storage costs because soft-deleted blobs continue to occupy space. However, the tradeoff is that it provides a safeguard against data loss, making it a valuable security feature.
Default Value:
By default, Soft Delete is disabled for Azure Blob Storage. This must be explicitly enabled to ensure data protection.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if Soft Delete is enabled for your Azure Blob Storage:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Soft Delete settings:
In the left-hand menu, go to Data Protection under the "Blob service" section.
Ensure that Soft delete is set to Enabled.
Verify the Retention period (for example, 7 days or any period based on your retention policy).
Implementation:
To automatically enforce Soft Delete for all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to enable Soft Delete for blob storage:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Soft Delete is Enabled for Blob Storage",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that Soft Delete is enabled for all Azure Blob Storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/blobServices.deleteRetentionPolicy.enabled",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Soft Delete is enabled for all storage accounts.
Backout Plan:
To disable Soft Delete if needed:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to the Data Protection settings:
In the left-hand menu, go to Data Protection under the "Blob service" section.
Disable Soft Delete:
Change the Soft delete setting to Disabled and save the changes.
If the setting was enforced through Azure Policy, modify or remove the policy to allow the disabling of Soft Delete.