Enable Immutable Blob Storage
More Info:
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modificationRisk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of enabling Immutable Blob Storage in Azure, you can follow the below steps:
- Login to Azure portal (https://portal.azure.com/)
- Navigate to the Storage Account where you want to enable Immutable Blob Storage.
- Click on the “Configuration” tab from the left-hand side menu.
- Scroll down to the “Data Protection” section and click on the “Immutability policies” option.
- Click on the ”+ Add” button to create a new Immutability policy.
- In the “Create Immutability Policy” blade, provide the following details:
- Name: A unique name for the policy
- Description: A brief description of the policy
- Immutability Period: The number of days for which the blobs should be kept immutable
- Allow Permanently Delete: Whether to allow permanently deleting the blobs during the immutability period
- Allow Rehydrate: Whether to allow rehydrating the blobs during the immutability period
- Click on the “Review + create” button to review the policy details.
- Once you have reviewed the details, click on the “Create” button to create the Immutability policy.
Using CLI
Using CLI
To remediate the “Enable Immutable Blob Storage” misconfiguration for Azure using Azure CLI, follow these steps:
- Open the Azure CLI on your computer.
-
Log in to your Azure account using the following command:
-
Once you are logged in, select the Azure subscription that contains the storage account that you want to remediate using the following command:
-
Get the resource ID of the storage account that you want to remediate using the following command:
-
Enable the immutable blob storage for the storage account using the following command:
This command sets the “supportsHttpsTrafficOnly” and “preventEncryptionScopeOverride” properties to “true”, which enables immutable blob storage.
-
Verify that the immutable blob storage has been enabled for the storage account by running the following command:
If the command returns “true”, then immutable blob storage has been enabled successfully.
Using Python
Using Python
To remediate the misconfiguration “Enable Immutable Blob Storage” in Azure using Python, you can follow these steps:This will enable immutable blob storage on the specified container for the specified retention period. Any attempt to modify or delete a blob within this period will result in an error.Note: Immutable blob storage is only available for the Azure Blob Storage tier, not for the Azure Data Lake Storage Gen2 tier.
- Install the Azure Blob Storage SDK for Python by running the following command in your terminal:
- Import the necessary modules:
- Authenticate with your Azure account by providing the connection string. You can obtain the connection string from the Azure Portal, under the “Access keys” section of your storage account.
- Choose the container that you want to enable immutable blob storage for:
- Set the immutable policy on the container: