Profile Applicability:

  • Level 2

Description:

This control enforces the use of locked immutability policies on Azure Blob Storage containers that store business-critical data. These policies ensure data cannot be modified or deleted for a specified retention period, even by administrators.

Rationale:

Enabling a locked immutability policy applies a Write Once, Read Many (WORM) model to the data, protecting it from malicious or accidental modifications and deletions. This control helps meet regulatory and legal requirements for data preservation and integrity.

Impact:

  • Once the policy is locked, the container cannot be modified or deleted until the retention period expires.

  • The storage account cannot be deleted if it contains a container with a locked immutability policy.

  • May increase long-term retention costs and administrative overhead.

Default Value:

Blob immutability is disabled by default.

Test Plan:

Using Azure Portal:

  1. Go to Storage accounts.

  2. Select a storage account.

  3. Click Containers under Data storage.

  4. Click the three dots (•••) next to a container and select Access policy.

  5. Ensure a locked policy is listed under Immutable blob storage.

Using Azure CLI:

List storage accounts:

az storage account list

List containers:

az storage container list --account-name <storage-account>

Check immutability policy:

az storage container immutability-policy show --account-name <storage-account> --container-name <container-name>

  1.  Confirm "state": "Locked" in the output for relevant containers.

Implementation Plan

Using Azure Portal:

  1. Navigate to Storage accounts > select a storage account > Containers.

  2. Click the three dots next to the container and choose Access policy.

  3. Under Immutable blob storage, click + Add policy.

  4. Choose:

    • Legal hold: Add at least one tag, then choose append write restrictions.

    • Time-based retention: Enter retention in days, optionally enable version-level immutability, and set append write restrictions.

  5. Click Save.

  6. Click the three dots next to the policy and select Lock policy.

  7. Confirm by typing "yes" and clicking OK.

Using Azure CLI:

Create the immutability policy:

az storage container immutability-policy create --account-name <storage-account> --container-name <blob-container> --period <retention-days>

Lock the immutability policy:

az storage container immutability-policy lock --account-name <storage-account> --container-name <blob-container> --if-match <etag>

References: