Storage account blob service soft delete is disabled Affecting Storage service in Azure

Severity Framework Snyk CCSS

Rule category Data / Restoration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure CIS-Controls

Snyk ID SNYK-CC-00481
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The blob soft delete configuration ensures that storage blobs remain recoverable for a set time even if data is deleted. Enabling soft delete protects data from user error or malicious actors that may deliberately delete data.

How to fix?

Set Microsoft.Storage/storageAccounts/blobServices properties.deleteRetentionPolicy.enabled attribute to be true and properties.deleteRetentionPolicy.days to 7 or greater.

Example Configuration

{
    "type": "Microsoft.Storage/storageAccounts/blobServices",
    "apiVersion": "2021-06-01",
    "name": "azure-648-allowed/default",
    "properties": {
        "deleteRetentionPolicy": {
        "days": 7,
        "enabled": true
        },
        "isVersioningEnabled": true
    }
}

Storage account blob service soft delete is disabled Affecting Storage service in Azure

Description

How to fix?

Example Configuration

ARM

Terraform

References