Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Sufficient Soft Deleted Data Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-013

Ensure that your Microsoft Azure Storage blob objects have a sufficient soft deleted data retention period configured for security and compliance purposes. The retention period indicates the amount of time that soft deleted data is stored and available for recovery. Prior to running this rule by the Cloud Conformity engine, the required retention period must be configured within the rule settings, on the Cloud Conformity account dashboard. You can configure to retain soft deleted data for a time period between 1 and 365 days.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

You can configure the amount of time the soft deleted data is recoverable before it is permanently deleted. Having an optimal soft deleted data retention period set for Azure Storage blob objects (blobs and snapshots) will enforce your data recovery strategy to follow the best practices as specified in the compliance regulations implemented within your organization. Retaining blob soft deleted data for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.


Audit

To determine if your Azure Storage blob objects have a sufficient soft deleted data retention period configured, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Sufficient Soft Deleted Data Retention Period conformity rule settings and note the retention period configured for this rule.

02 Sign in to Azure Management Console.

03 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

04 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the navigation panel, under Blob service, click Data Protection to access the Soft Delete feature configuration settings. Soft Delete enables you to save and recover blob data in case your Azure Storage blobs or blob snapshots are deleted or overwritten. If Soft Delete is disabled, follow the steps outlined in this conformity rule to enable the feature.

07 On the Data Protection configuration page, under Recovery, check the value available in the Keep deleted blobs for (in days) box. If the configuration value is different than the retention period identified at step no. 1, the blob objects stored within the selected Microsoft Azure Storage account do not have a sufficient soft deleted data retention period currently configured.

08 Repeat steps no. 5 – 7 for each storage account provisioned in the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Sufficient Soft Deleted Data Retention Period conformity rule settings and note the retention period configured for this rule.

02 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list
    --query '[*].name'

03 The command output should return the requested storage account names:

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

04 Run storage blob service-properties delete-policy show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the soft deleted data retention period configured for the selected Azure Blob Storage Account:

az storage blob service-properties delete-policy show
    --account-name abcd1234abcd1234abcd1234
    --query 'days'

05 The command output should return the Soft Delete feature retention period in number of days:

5

If the storage blob service-properties delete-policy show command does not return an output, the Soft Delete feature is disabled, therefore you can follow the steps outlined in this conformity rule to enable it. If the value returned by the command output is different than the retention period identified at step no. 1, the selected Microsoft Azure Storage account does not have a sufficient soft deleted data retention period set for its blob objects.

06 Repeat step no. 4 and 5 for each storage account available in the current subscription.

07 Repeat steps no. 2 – 6 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure the optimal soft deleted data retention period for your Azure Storage blob objects, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Sufficient Soft Deleted Data Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Sign in to Azure Management Console.

03 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

04 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

05 Click on the name of the Azure Storage account that you want to reconfigure.

06 In the navigation panel, under Blob service, click Data Protection to access the Soft Delete feature configuration settings.

07 On the Data Protection page, under Recovery, paste the value copied at step no. 1 in the Keep deleted blobs for (in days) box, then click Save to apply the changes. Note that the updated retention period will only apply to newly deleted data. Previously deleted blob data will expire based on the retention period that was configured when that data was deleted.

08 Repeat steps no. 5 – 7 for each storage account available in the selected Azure subscription.

09 Repeat steps no. 4 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Sufficient Soft Deleted Data Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Run storage blob service-properties delete-policy update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter to update the soft deleted data retention period configured for the selected Azure Storage account, using the value copied at step no 1. The following command example sets the soft deleted data retention period to 90 days:

az storage blob service-properties delete-policy update
    --account-name abcd1234abcd1234abcd1234
    --days-retained 90

03 The command output should return the available metadata for the command request:

{
  "days": 90,
  "enabled": true
}

04 Repeat step no. 2 and 3 for each storage account created within the current subscription.

05 Repeat steps no. 2 – 4 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Dec 17, 2019