Ensure that Immutable Blob Storage feature is enabled for Microsoft Azure Storage blob containers that hold sensitive and business-critical information. Immutable Blob Storage enables you to store critical, production data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified time interval. Azure blob objects can be created and read, but not modified or deleted, for the duration of the retention interval configured. The feature supports two types of policies that you can apply to a container for retaining the data within the specified container in a non-modifiable and delete-protected state:
1. A time-based immutability policy – this policy can be used for regulatory compliance to lock data from future edits. Once the policy is locked, it cannot be unlocked.
2. A legal hold policy – this allows you to set an indefinite hold on all the blob objects within a container. When a legal hold is set, the data inside the container moves to a delete-protected and modify-protected state.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The Immutable Blob Storage feature made available by Microsoft Azure Storage service helps your store your blob objects in an immutable form, providing an additional layer of protection against object modification and deletion. The feature is also useful when you have to meet regulatory requirements when it comes to data protection, as immutable storage helps healthcare organizations, financial institutions, and related industries, to store data in a secure and protected way.
Note: Please make sure to grant access to allowed networks using network rules or IP ranges using firewalls before you start using Azure CLI and PowerShell.
Audit
To determine if Immutable Blob Storage is enabled for your Azure Storage blob objects, perform the following actions:
Remediation / Resolution
To enable and configure the Immutable Blob Storage protection feature for the Microsoft Azure blob containers that store business-critical and sensitive information, perform the following actions: