Description:
The 'Versioning' feature for Azure Blob Storage allows multiple versions of a blob to be retained, providing a mechanism for recovering data if a blob is accidentally deleted or overwritten. When enabled, each change to a blob creates a new version, preserving the previous state of the blob. This feature is crucial for data protection, allowing for easy recovery of previous versions and mitigating risks such as accidental deletions or changes.
Rationale:
Enabling Blob Versioning in Azure Storage ensures that a history of changes to blobs is maintained, which provides data protection and recovery options in case of accidental or malicious data loss. It enhances compliance with data retention policies and ensures that previous versions of data can be restored when needed. Versioning is particularly important in scenarios where data integrity, auditability, and recovery are critical, helping meet security and compliance requirements like SOC 2, GDPR, and HIPAA.
Impact:
Enabling Blob Versioning will increase the storage used by the account because older versions of blobs are retained. However, this cost increase is often justified by the added benefits of data protection and recovery options. Proper monitoring and lifecycle management policies should be put in place to manage versioned data efficiently and prevent unnecessary storage overhead.
Default Value:
By default, Blob Versioning is disabled for Azure Storage Accounts. It must be explicitly enabled.
Pre-requisites:
Azure account: Ensure you have the necessary permissions to configure settings for Azure Storage Accounts.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify storage account settings.
Remediation:
Audit:
To check if Versioning is enabled for your Azure Blob Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Versioning settings:
In the left-hand menu, under Settings, click on Data Protection.
Verify that Versioning is set to Enabled for the Blob Storage service.
Implementation:
To ensure Versioning is enabled for all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure Blob Versioning is enabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Blob Versioning is Enabled on Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that versioning is enabled for all Azure Blob Storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/blobServices.versioning.enabled",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Blob Versioning is enabled for all storage accounts.
Backout Plan:
To disable Blob Versioning:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Data Protection settings:
In the left-hand menu, under Settings, click on Data Protection.
Disable Versioning:
Set Versioning to Disabled and save the changes.
If the setting was enforced via Azure Policy, modify or remove the policy to allow disabling versioning.