Skip to main content

More Info:

Ensure that your Microsoft Azure virtual machines (VMs) have a sufficient snapshot instant restore retention period configured for data security and internal compliance. Instant recovery snapshots are stored together with the VM disk volumes to speed up the recovery point creation and the restore operations. Azure VM instant restore retention period can range from a minimum of 1 day to a maximum of 5 days.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration “Virtual Machines Should Have Sufficient Instant Restore Retention Period” in Azure:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. In the left-hand menu, click on “Virtual machines”.
  3. Select the virtual machine that you want to remediate.
  4. In the virtual machine overview page, click on “Disks” under the “Settings” section.
  5. Select the managed disk that you want to remediate.
  6. Under the “Settings” section, click on “Backup”.
  7. In the “Backup policy” section, click on “Edit”.
  8. In the “Retention” section, set the “Instant restore snapshot retention range” to the desired value (e.g. 7 days).
  9. Click on “Save” to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Virtual Machines Should Have Sufficient Instant Restore Retention Period” in Azure.

To remediate the misconfiguration “Virtual Machines Should Have Sufficient Instant Restore Retention Period” for Azure using Azure CLI, you can follow the below steps:
  1. Open Azure CLI and login to your Azure account using the command az login.
  2. Once you are logged in, check the current retention period of the virtual machine using the command az backup protection show --backup-management-type AzureIaasVM --query "items[].{VMName:name,RetentionPeriod:properties.instantRP.retentionPeriodInDays}".
  3. If the retention period is less than the required duration, update the retention period using the command az backup protection update-for-vm --resource-group <resource-group-name> --vault-name <vault-name> --vm-name <vm-name> --policy-name <policy-name> --retention-in-days <retention-period>. Note: Replace the placeholders <resource-group-name>, <vault-name>, <vm-name>, <policy-name> and <retention-period> with the actual values.
  4. Verify that the retention period has been updated by running the command az backup protection show --backup-management-type AzureIaasVM --query "items[].{VMName:name,RetentionPeriod:properties.instantRP.retentionPeriodInDays}".
  5. Once the retention period has been updated, the remediation is complete.
By following the above steps, you can remediate the misconfiguration “Virtual Machines Should Have Sufficient Instant Restore Retention Period” for Azure using Azure CLI.
To remediate the misconfiguration “Virtual Machines Should Have Sufficient Instant Restore Retention Period” in Azure using Python, you can use the Azure Python SDK to update the retention period of the virtual machine backups.Here are the steps to remediate the misconfiguration:
  1. Install the Azure Python SDK by running the following command: 
    pip install azure-mgmt-compute
  2. Authenticate with Azure by providing your subscription ID, tenant ID, client ID, and client secret. You can do this by creating a Service Principal and granting it the required permissions. 
    from azure.common.credentials import ServicePrincipalCredentials

subscription_id = '<your-subscription-id>'
credentials = ServicePrincipalCredentials(
    client_id='<your-client-id>',
    secret='<your-client-secret>',
    tenant='<your-tenant-id>'
)
  3. Use the ComputeManagementClient class from the Azure Python SDK to get a list of all the virtual machines in your subscription. 
    from azure.mgmt.compute import ComputeManagementClient

compute_client = ComputeManagementClient(credentials, subscription_id)
vm_list = compute_client.virtual_machines.list_all()
  4. For each virtual machine in the list, use the BackupManagementClient class from the Azure Python SDK to get the current retention policy for the virtual machine backups. 
    from azure.mgmt.recoveryservicesbackup import BackupManagementClient

backup_client = BackupManagementClient(credentials, subscription_id)
for vm in vm_list:
    backup_policy = backup_client.backup_policies.get(
        '<your-resource-group>',
        '<your-backup-policy-name>'
    )
    retention_period = backup_policy.instant_rp.retention_period_in_days
  5. If the retention period is less than the recommended value, update the retention policy using the BackupManagementClient class. 
    if retention_period < <recommended-retention-period>:
    backup_policy.instant_rp.retention_period_in_days = <recommended-retention-period>
    backup_client.backup_policies.create_or_update(
        '<your-resource-group>',
        '<your-backup-policy-name>',
        backup_policy
    )
  6. Run the script periodically to ensure that the retention policies of all virtual machines are up-to-date.
Note: Replace the placeholders <your-subscription-id>, <your-client-id>, <your-client-secret>, <your-tenant-id>, <your-resource-group>, <your-backup-policy-name>, and <recommended-retention-period> with your own values.

Additional Reading: