Description:
Soft Delete for Azure File Shares is a feature that allows you to recover file shares that have been accidentally deleted or are unintentionally lost. When enabled, deleted file shares are retained in a soft-deleted state for a specified retention period, during which they can be recovered. This feature helps protect against accidental deletions and ensures that valuable data can be restored within the retention period.
Rationale:
Enabling Soft Delete for Azure File Shares provides an additional layer of data protection by retaining deleted file shares temporarily before they are permanently removed. This gives administrators a chance to recover critical data that was accidentally deleted, helping to prevent data loss due to user error or unforeseen circumstances. It is a recommended practice for securing important files and ensuring compliance with data retention policies.
Impact:
Enabling Soft Delete increases the storage usage slightly, as the deleted file shares are retained for the configured retention period (default 7 days). However, this minor increase in storage cost is outweighed by the benefit of having an added layer of protection for your data. Proper lifecycle management policies should be in place to prevent unnecessary storage overhead.
Default Value:
By default, Soft Delete is disabled for Azure File Shares. It needs to be explicitly enabled for each storage account that uses Azure File Shares.
Pre-requisites:
Azure account: Ensure you have appropriate permissions to configure the storage account settings.
Azure Storage Account with File Shares: Ensure the storage account and file shares exist.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the file share settings.
Retention period: The retention period (e.g., 7 days) can be configured based on your organization's needs.
Remediation:
Audit:
To check if Soft Delete is enabled for Azure File Shares:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Soft Delete settings:
In the Settings section, click on Data Protection.
Ensure that Soft Delete for File Shares is set to Enabled and check the Retention period.
Automated Implementation:
To ensure Soft Delete for Azure File Shares is enabled across all storage accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure Soft Delete for file shares is enabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Soft Delete for File Shares is Enabled",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that Soft Delete for Azure File Shares is enabled across all storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/fileServices.deleteRetentionPolicy.enabled",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Soft Delete is enabled for all Azure File Shares.
Backout Plan:
To disable Soft Delete for Azure File Shares:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Data Protection settings:
In the Settings section, click on Data Protection.
Disable Soft Delete:
Set Soft Delete for File Shares to Disabled and save the changes.
If the setting was enforced via Azure Policy, modify or remove the policy to allow disabling Soft Delete.