Skip to main content

More Info:

Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration “Check for Sufficient Soft Deleted Data Retention Period” for Azure using the Azure console:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the storage account that you want to remediate.
  3. Click on the “Configuration” tab from the left-hand menu.
  4. Scroll down to the “Data Protection” section and click on the “Soft delete” option.
  5. Ensure that the “Soft delete” toggle is set to “On”.
  6. Set the “Retention period” to the desired value. The recommended retention period is 14 days.
  7. Click on the “Save” button to save the changes.
That’s it! You have successfully remediated the misconfiguration “Check for Sufficient Soft Deleted Data Retention Period” for Azure using the Azure console.

To remediate the misconfiguration of insufficient soft deleted data retention period in Azure, you can follow the below steps using Azure CLI:
  1. Open the Azure CLI in your terminal or command prompt.
  2. Run the following command to set the retention period for soft-deleted resources to 90 days (or any other value as per your requirement): 
    az account lock create --name soft-delete-retention-policy --lock-type CanNotDelete --notes "Retain soft-deleted resources for 90 days" --resource-type Microsoft.Resources/subscriptions --resource-group <your resource group> --resource <your subscription ID> --duration 90
    This command creates a new lock on your subscription to prevent the deletion of any soft-deleted resources. The lock is set for a duration of 90 days, which means that any soft-deleted resources will be retained for 90 days before they are permanently deleted.
  3. Verify that the lock has been created by running the following command: 
    az account lock show --name soft-delete-retention-policy --resource-group <your resource group> --resource <your subscription ID>
    This command will display the details of the lock that you created in step 2.
  4. You can now soft-delete any resources that you want to retain for the retention period by running the following command: 
    az resource delete --ids <resource ID> --output none
    This command will soft-delete the specified resource and retain it for the duration of the lock that you created in step 2.
By following these steps, you can remediate the misconfiguration of insufficient soft deleted data retention period in Azure using Azure CLI.
To remediate the misconfiguration of insufficient soft deleted data retention period in Azure using Python, you can follow these steps:
  1. First, you need to connect to your Azure account using the Azure SDK for Python. You can use the following code to authenticate and connect to your Azure account:
from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.storage import StorageManagementClient

credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'

resource_client = ResourceManagementClient(credential, subscription_id)
storage_client = StorageManagementClient(credential, subscription_id)
  1. Once you are connected to your Azure account, you can check the soft deleted data retention period for your storage accounts using the list_by_subscription() method of the StorageManagementClient class. This method returns a list of all the storage accounts in your subscription, along with their properties.
storage_accounts = storage_client.storage_accounts.list_by_subscription()

for account in storage_accounts:
    retention_days = account.deleted_retention_policy.enabled and account.deleted_retention_policy.days or 0
    if retention_days < 30:
        print(f"Storage account {account.name} has a soft deleted data retention period of {retention_days} days. Please increase the retention period to at least 30 days.")
  1. If the soft deleted data retention period for any of your storage accounts is less than 30 days, you can use the update() method of the StorageAccountsOperations class to update the retention period. You can set the deleted_retention_policy property of the StorageAccountUpdateParameters class to the desired retention period, in days.
from azure.mgmt.storage.models import StorageAccountUpdateParameters, DeletedRetentionPolicy

account_name = 'your-storage-account-name'
retention_days = 30

account_params = StorageAccountUpdateParameters(
    deleted_retention_policy=DeletedRetentionPolicy(enabled=True, days=retention_days)
)

storage_client.storage_accounts.update(resource_group_name='your-resource-group-name', account_name=account_name, parameters=account_params)
  1. After updating the retention period for your storage accounts, you can re-run the code in step 2 to verify that the retention period has been increased to at least 30 days.
By following these steps, you can remediate the misconfiguration of insufficient soft deleted data retention period in Azure using Python.