Azure Storage should have soft delete enabled

Docs > Datadog Security > OOTB Rules > Azure Storage should have soft delete enabled

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Azure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

Rationale

A user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.

Remediation

From the console

Go to Storage Account
For each Storage Account, navigate to Data Protection
Select Set soft delete enabled and enter the number of days to retain soft deleted data.

Azure Command-Line Interface:

Update retention days with the following command: az storage blob service-properties delete-policy update --days-retained <RetentionDaysValue> --account-name <StorageAccountName> --enable true'

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete

CIS Controls

Version 7 10 - Data Recovery Capabilities