Cyscale
Back to controls

Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

The Azure Storage blobs contain data like ePHI and financial information, which can be secret or personal. Data that is erroneously modified or deleted accidentally by an application or other storage account user can cause data loss or unavailability.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

The Azure Storage blobs contain data like ePHI and financial information, which can be secret or personal. Data that is erroneously modified or deleted accidentally by an application or other storage account user can cause data loss or unavailability.

It is recommended that Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This saves and recovers data when blobs or blob snapshots are deleted.

Rationale

Containers and Blob Storage data can be incorrectly deleted. An attacker or malicious user may do this deliberately to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, the objects are recoverable for a particular time, which is the retention period, ranging from 7 to 365 days.

Impact

Additional storage costs may be incurred as snapshots are retained.

Default Value

When a new storage account is created, soft delete for containers and blob storage are disabled by default.

References

  1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete
  2. https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview
  3. https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal

Remediation guidance

Azure portal

  1. Open the storage account in the Azure Portal using the Open in Azure button.
  2. Navigate to the Data Protection blade under Data Management
  3. Select Enable soft delete for blobs and Enable soft delete for containers.
  4. Enter the number of days you want to retain soft deleted data (between 7 and 365).

Azure CLI

For blobs:

az storage blob service-properties delete-policy update --days-retained <days> --account-name <storageAccountName> --enable true

For containers:

az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days <days> --account-name <storageAccountName> --resource-group <resourceGroup> --account-key <accountKey>

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

  • Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
  • Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
  • Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without Soft Delete

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { blobServiceDeletePolicyEnabled: false }
        { blobServiceDeletePolicyDays: 0 }
        { containerDeleteRetentionPolicyEnabled: false }
        { containerDeleteRetentionPolicyDays: 0 }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon