Profile Applicability:
 Level 1

Description:
 Soft Delete for Azure Backup Vaults ensures that when backup data or recovery points are deleted, they are retained for a configurable retention period instead of being permanently removed immediately. This protection helps safeguard against accidental or malicious deletion of backup data, allowing recovery within the retention window.

Rationale:
 Enabling Soft Delete reduces the risk of data loss by providing a safety net against unintended deletion. It allows administrators to recover backups that were mistakenly deleted or compromised by ransomware or insider threats. This enhances overall backup resiliency and supports compliance with data retention policies.

Impact:

  • Pros:

    • Prevents permanent loss of backup data due to accidental or malicious deletion.

    • Improves disaster recovery and business continuity capabilities.

    • Supports compliance with retention and data protection regulations.

  • Cons:

    • May increase storage costs due to retained deleted data during the soft delete retention period.

    • Requires monitoring and management of retention settings.

Default Value:
 Soft Delete is disabled by default on some backup vaults and must be enabled explicitly.

Pre-requisites:

  • Azure Portal or CLI access with permissions to manage Backup Vault settings.

  • Understanding of backup and recovery policies.

Remediation

Test Plan:

Using Azure Portal:

  1. Go to https://portal.azure.com.

  2. Navigate to Backup Center or Recovery Services vaults.

  3. Select the relevant Backup Vault.

  4. Under Properties or Settings, locate the Soft Delete option.

  5. Verify that Soft Delete is enabled and configured with an appropriate retention period.

Using Azure CLI:

1. Check Soft Delete status for a Recovery Services vault:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.softDeleteFeatureState

2. Confirm the output is Enabled.

Implementation Plan

Using Azure Portal:

  1. Navigate to the Backup Vault settings.

  2. Enable Soft Delete feature.

  3. Set the retention period according to organizational policy (default is 14 days).

  4. Save changes and confirm configuration.

Using Azure CLI:

1. Enable Soft Delete on the vault:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.softDeleteFeatureState=Enabled

2. Confirm the update by re-running the show command.

Backout Plan

Using Azure Portal:

  1. Disable Soft Delete by setting the feature state to Disabled if necessary.

  2. Review potential data loss risks before disabling.

Using Azure CLI:

1. Disable Soft Delete:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.softDeleteFeatureState=Disabled

References: