Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Immutable Blob Storage

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-012

Ensure that Immutable Blob Storage feature is enabled for Microsoft Azure Storage blob containers that hold sensitive and business-critical information. Immutable Blob Storage enables you to store critical, production data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified time interval. Azure blob objects can be created and read, but not modified or deleted, for the duration of the retention interval configured. The feature supports two types of policies that you can apply to a container for retaining the data within the specified container in a non-modifiable and delete-protected state:

1. A time-based immutability policy – this policy can be used for regulatory compliance to lock data from future edits. Once the policy is locked, it cannot be unlocked.

2. A legal hold policy – this allows you to set an indefinite hold on all the blob objects within a container. When a legal hold is set, the data inside the container moves to a delete-protected and modify-protected state.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Immutable Blob Storage feature made available by Microsoft Azure Storage service helps your store your blob objects in an immutable form, providing an additional layer of protection against object modification and deletion. The feature is also useful when you have to meet regulatory requirements when it comes to data protection, as immutable storage helps healthcare organizations, financial institutions, and related industries, to store data in a secure and protected way.

Note: Please make sure to grant access to allowed networks using network rules or IP ranges using firewalls before you start using Azure CLI and PowerShell.


Audit

To determine if Immutable Blob Storage is enabled for your Azure Storage blob objects, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to examine.

05 In the navigation panel, under Blob service, click Containers to access the blob containers available in the selected storage account.

06 Click on the name of the Azure blob container that you want to examine.

07 In the navigation panel, under Settings, click Access policy to open the associated access policy.

08 On the Access policy configuration page, check the Immutable blob storage list for any defined retention policies. If there are no retention policies configured for immutable storage, the Immutable Blob Storage protection feature is not enabled for the selected Azure Storage blob container.

09 Repeat steps no. 6 – 8 for each blob container that holds critical data, created within the current Azure Storage account.

10 Repeat steps no. 4 – 9 for each storage account available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list
    --query '[*].name'

02 The command output should return the requested storage account identifiers (names):

[
  "abcdabcdabcd123412341234",
  "abcd1234abcd1234abcd1234"
]

03 Run storage container list command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the configuration status of the immutability storage retention policies (i.e. time-based immutability policy and legal hold policy) configured for each blob container available in the selected storage account:

az storage container list
    --account-name "abcdabcdabcd123412341234"
    --query '[*].{"ContainerName":name, "TimeBasedRetentionPolicy":properties.hasImmutabilityPolicy, "LegalHoldPolicy": properties.hasLegalHold}'

04 The command output should return the name of each provisioned blob container along with the configuration status for the immutability storage retention policies (true for enabled, false for disabled):

[
  {
    "ContainerName": "ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "TimeBasedRetentionPolicy": "false",
    "LegalHoldPolicy": "false"
  },
  {
    "ContainerName": "ccinternal-1234abcd-1234-abcd-1234-abcd1234abcd",
    "TimeBasedRetentionPolicy": "false",
    "LegalHoldPolicy": "false"
  },
  {
    "ContainerName": "ccinternal-abcd1234-abcd-1234-abcd-1234abcd1234",
    "TimeBasedRetentionPolicy": "false",
    "LegalHoldPolicy": "false"
  },
  {
    "ContainerName": "cclogging-12341234-abcd-abcd-abcd-1234abcd1234",
    "TimeBasedRetentionPolicy": "false",
    "LegalHoldPolicy": "false"
  }
]

Check the time-based immutability policy status ("TimeBasedRetentionPolicy" attribute value) and the legal hold policy status (i.e. "LegalHoldPolicy" value) for each blob container that holds business-critical data, available within the selected storage account. If both of these policies have the configuration status set to false, the Immutable Blob Storage protection feature is not enabled for the associated Azure blob container, therefore the container data is not protected against modification or deletion.

05 Repeat step no. 3 and 4 for each storage account available in the selected Azure subscription

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure the Immutable Blob Storage protection feature for the Microsoft Azure blob containers that store business-critical and sensitive information, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to access.

05 In the navigation panel, under Blob service, click Containers to open the list with the blob containers available in the selected storage account.

06 Click on the name of the Azure blob container that you want to reconfigure in order to keep its data in an immutable state.

07 In the navigation panel, under Settings, click Access policy to open the associated access policy.

08 On the Access policy configuration page, under Immutable blob storage, click Add policy to add one or both of the immutability storage retention policies required. A blob container can have both a time-based retention policy and a legal hold at the same time. All data in the specified container stay in the immutable state until all legal holds are cleared, even if their effective retention period has expired. In contrast, a blob can stay in an immutable state until the effective retention period expires, even though all legal holds have been cleared:

  1. To add and configure a time-based immutability policy, select Time-based retention from the Policy type dropdown list and provide the necessary retention interval in number of days (between 1 and 146000 days) in the Set retention period for box. Click Ok to save the changes. The initial state of the time-based retention policy is unlocked allowing you to test the feature and make changes to the policy before you lock it. Locking the policy is essential for compliance regulations such as SEC 17a-4. To lock the policy, right-click on the newly added policy and select Lock policy option. In the confirmation box, type yes to confirm the changes, then click OK. The policy is now locked and cannot be deleted, only extensions of the retention interval will be allowed. Once the policy status changes to Locked, blob object deletes and overrides are not permitted anymore.
  2. To add and configure a legal hold policy, select Legal hold from the Policy type dropdown list and provide one or more tags (representing identifiers) in the Tag box. Each legal hold policy must be associated with a user-defined alphanumeric tag that is used as an identifier string. Once a legal hold policy is set, Azure blob objects can be created and read, but not modified or deleted, therefore, all existing/new blobs stay in the immutable state until the legal hold is cleared. To clear a legal hold, just remove the associated identifier tag.

09 Repeat steps no. 6 – 8 for each blob container that holds critical data, available in the current Azure Storage account.

10 Repeat steps no. 4 – 9 for each storage account available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 To add and configure a time-based immutability policy or a legal hold policy to the Azure blob container that you want to reconfigure in order to keep its data in an immutable state, run one of the following Azure CLI commands or both. A blob container can have both a time-based retention policy and a legal hold at the same time. All data in the specified container stay in the immutable state until all legal holds are cleared, even if their effective retention period has expired. In contrast, a blob can stay in an immutable state until the effective retention period expires, even though all legal holds have been cleared:

  1. To create and configure a time-based immutability policy:
    • Run storage container immutability-policy create command (Windows/macOS/Linux) using the name of the Azure blob container that you want to reconfigure as identifier parameter, to create an unlocked time-based immutability policy with a retention period of 90 days for the specified container:
      az storage container immutability-policy create
          --account-name "abcdabcdabcd123412341234"
          --container-name ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
          --period 90
      
    • The command output should return the configuration metadata for the storage container immutability-policy create command request (including the immutability policy version ETag):
      {
        "etag": "\"abcdabcdabcdabc\"",
        "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234/blobServices/default/containers/ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd/immutabilityPolicies/default",
        "immutabilityPeriodSinceCreationInDays": 90,
        "name": "default",
        "resourceGroup": "cloud-shell-storage-westeurope",
        "state": "Unlocked",
        "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies"
      }
      
    • Run storage container immutability-policy lock command (Windows/macOS/Linux) using the immutability policy version ETag as identifier parameter to lock the time-based immutability policy created at the previous steps:
      az storage container immutability-policy lock
          --account-name "abcdabcdabcd123412341234"
          --container-name ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
          --if-match "\"abcdabcdabcdabc\""
      
    • The command output should return the configuration metadata for updated (locked) policy:
      {
        "etag": "\"abcdabcdabcdbac\"",
        "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234/blobServices/default/containers/ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd/immutabilityPolicies/default",
        "immutabilityPeriodSinceCreationInDays": 90,
        "name": "default",
        "resourceGroup": "cloud-shell-storage-westeurope",
        "state": "Locked",
        "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies"
      }
      
  2. To create and configure a legal hold policy:
    • Run storage container legal-hold set command (Windows/macOS/Linux) using the name of the Azure blob container that you want to reconfigure as identifier parameter, to create and configure a legal hold policy with a legal hold tag for the selected blob container. The tag (e.g. "customerLogs") is useful for identification and can be between 3 and 23 alphanumeric characters:
      az storage container legal-hold set
          --account-name "abcdabcdabcd123412341234"
          --container-name ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
          --tags customerLogs
      
    • The command output should return the storage container legal-hold set command request metadata:
      {
        "hasLegalHold": true,
        "tags": [
          "customerlogs"
        ]
      }
      

02 Repeat step no. 1 for each blob container that holds business-critical and sensitive data, available in the selected Azure Storage account.

03 Repeat step no. 1 and 2 for each storage account available in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Dec 17, 2019