Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

Overview

The Azure Storage blobs contain data like ePHI and financial information, which can be secret or personal. Data that is erroneously modified or deleted accidentally by an application or other storage account user can cause data loss or unavailability.

It is recommended that Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This saves and recovers data when blobs or blob snapshots are deleted.

Rationale

Containers and Blob Storage data can be incorrectly deleted. An attacker or malicious user may do this deliberately to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, the objects are recoverable for a particular time, which is the retention period, ranging from 7 to 365 days.

Impact

Additional storage costs may be incurred as snapshots are retained.

Default Value

When a new storage account is created, soft delete for containers and blob storage are disabled by default.

References

Remediation guidance

Azure portal

Open the storage account in the Azure Portal using the Open in Azure button.
Navigate to the Data Protection blade under Data Management
Select Enable soft delete for blobs and Enable soft delete for containers.
Enter the number of days you want to retain soft deleted data (between 7 and 365).

Azure CLI

For blobs:

az storage blob service-properties delete-policy update --days-retained <days> --account-name <storageAccountName> --enable true

For containers:

az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days <days> --account-name <storageAccountName> --resource-group <resourceGroup> --account-key <accountKey>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without Soft Delete

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { blobServiceDeletePolicyEnabled: false }
        { blobServiceDeletePolicyDays: 0 }
        { containerDeleteRetentionPolicyEnabled: false }
        { containerDeleteRetentionPolicyDays: 0 }
      ]
    }
  ) {
    ...AssetFragment
  }
}