iCompaas Support

Description: 

Soft Delete for Azure Blob Storage allows you to recover blobs that have been deleted by mistake or intentionally within a retention period. When Soft Delete is enabled, deleted blobs are retained in a soft-deleted state and can be recovered before the retention period expires. This helps protect against accidental or malicious deletion of important data.

Rationale: 

Enabling Soft Delete for blobs provides an additional layer of data protection. If a blob is deleted, it can be restored during the configured retention period, which can help avoid data loss caused by human error or other unintended actions. This is especially important for meeting data retention and recovery requirements in compliance with regulations like GDPR, HIPAA, and SOC 2.

Impact:

 Enabling Soft Delete increases storage usage slightly because the deleted blobs are retained for the retention period. However, this trade-off is minimal when considering the protection it offers against accidental deletions. The retention period (default 7 days) can be configured to suit your organization’s needs.

Default Value:

 By default, Soft Delete is disabled for Azure Blob Storage Accounts. This setting must be manually enabled.

Pre-requisites:

• Azure account: Ensure you have appropriate permissions to configure the storage account settings.
  
  

• Azure Storage Account: Ensure the storage account exists.
  
  

• Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
  
  

Remediation:

Audit:

To check if Soft Delete for blobs is enabled for your Azure Storage Accounts:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to the Azure Storage Account.
   
   

3. Check Soft Delete settings:
   
   

   • In the left-hand menu, under Settings, click on Data Protection.
     
     

   • Ensure that Soft Delete is set to Enabled and the Retention Period is configured as desired.
     
     

Automated Implementation:

To ensure Soft Delete for blobs is enabled across all Azure Storage Accounts, you can use Azure Policy.

1. Create a custom Azure Policy to ensure Soft Delete is enabled for all storage accounts:
   
   

   • Go to the Azure portal.
     
     

   • Navigate to Policy and click on Definitions.
     
     

   • Create a new Custom Policy with the following content:
     
     

{
  "properties": {
    "displayName": "Ensure Soft Delete for Blobs is Enabled on Storage Accounts",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy ensures that Soft Delete for blobs is enabled on all Azure storage accounts.",
    "parameters": {},
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "policyRule": {
      "if": {
        "field": "Microsoft.Storage/storageAccounts/blobServices.deleteRetentionPolicy.enabled",
        "equals": "false"
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

2. Assign the policy:
   
   

   • After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Soft Delete is enabled for all storage accounts.
     
     

Backout Plan:

To disable Soft Delete for blobs:

1. Sign in to the Azure portal with appropriate permissions.
   
   

2. Navigate to the Azure Storage Account.
   
   

3. Go to Data Protection settings:
   
   

   • In the left-hand menu, under Settings, click on Data Protection.
     
     

4. Disable Soft Delete:
   
   

   • Set Soft Delete to Disabled and save the changes.
     
     

If the setting was enforced via Azure Policy, modify or remove the policy to allow disabling Soft Delete.

References:

• Azure Blob Storage Soft Delete
  
  

• Azure Policy for Storage Accounts