Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Soft Delete for Container Registries

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Soft Delete protection feature is enabled for your Microsoft Azure container registries to maintain data integrity and prevent costly downtime. When enabled, Soft Delete allows for the recovery of images, tags, and other artifacts in most deletion scenarios. If you've deleted items that you want to retain, be sure to restore them before the scheduled purge date.

Security

Enabling Soft Delete for Azure Container Registries helps protect against accidental or malicious deletions, allowing recovery of deleted images and artifacts for a specified retention period. It enhances data security, compliance, and operational continuity by preventing disruptions to DevOps pipelines and reducing the need for rebuilding lost images.

Audit

To determine if the Soft Delete feature is enabled for your Azure container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the navigation panel, under Settings, select Properties, and check the Soft delete configuration setting to determine if the protection feature is enabled for your container registry. If the Soft delete setting checkbox is unchecked, the Soft Delete feature is not enabled for the selected Microsoft Azure container registry.

07 Repeat steps no. 5 and 6 for each Azure container registry available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run acr list command (Windows/macOS/Linux) with custom output filters to describe the name of each Azure container registry available in the current subscription: 

az acr list
  --output table
  --query '[*].{name:name}'

05 The command output should return the requested container registry names: 

Name
-------------------------
Project5ContainerRegistry
DevAIContainerRegistry

06 Run acr config soft-delete show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine if the Soft Delete feature is enabled for the selected container registry: 

az acr config soft-delete show
  --registry Project5ContainerRegistry
  --query 'status'

07 The command output should return the Soft Delete feature status: 

"disabled"

If the acr config soft-delete show command output returns "disabled", as shown in the example above, the Soft Delete protection feature is not enabled for the selected Microsoft Azure container registry.

08 Repeat steps no. 6 and 7 for each Azure container registry available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure Soft Delete for your Microsoft Azure container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to configure.

06 In the navigation panel, under Settings, select Properties, and perform the following actions:

  1. Check the Soft delete setting checkbox to enable the Soft Delete feature for the selected Azure container registry.
  2. For Retention days before purge, set the number of days between 1 and 90 days for retaining the soft deleted artifacts. Your soft-deleted artifacts are automatically purged after the retention period expires.
  3. Choose Save to apply the configuration changes.

07 Repeat steps no. 5 and 6 for each Azure container registry that you want to configure, available within the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run acr config soft-delete update command (Windows/macOS/Linux) with the name of the Azure container registry that you want to configure as the identifier parameter, to enable the Soft Delete protection feature for the selected container registry. Use the --days configuration parameter to set the number of days, between 1 and 90 days, for retaining the soft deleted artifacts. Your soft-deleted artifacts are automatically purged after the retention period expires. If the --days parameter is not included in the command request, the default retention period is 7 days: 

az acr config soft-delete update
  --registry Project5ContainerRegistry
  --status enabled
  --days 30
  --yes

05 The command output should return the information available for the Soft Delete feature: 

{
	"lastUpdatedTime": "2024-10-18T06:04:55.338983+00:00",
	"retentionDays": 30,
	"status": "enabled"
}

06 Repeat steps no. 4 and 5 for each Azure container registry that you want to configure, available in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2024

Related ContainerRegistry rules