Azure Introduction
Azure Pricing
Azure Threats
Check for Sufficient Backup Retention Period
More Info:
Ensure there is a sufficient backup retention period configured for Azure App Services applications.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration of “Sufficient Backup Retention Period” in Azure using the Azure console:
- Log in to the Azure portal (https://portal.azure.com/).
- In the left-hand menu, click on “Recovery Services vaults”.
- Select the recovery services vault that you want to remediate.
- Click on the “Backup policy” option in the left-hand menu.
- In the “Backup policy” page, click on the “Edit” button.
- In the “Backup policy” editor, click on the “Retention” tab.
- In the “Retention” tab, set the retention period to the desired value.
- Click on the “Save” button to save the changes.
By following these steps, you will remediate the misconfiguration of “Sufficient Backup Retention Period” in Azure using the Azure console.
To remediate the misconfiguration of insufficient backup retention period in AZURE using AZURE CLI, follow the below steps:
-
Open the Azure CLI in your terminal or command prompt.
-
Run the following command to check the current retention period for backups:
az backup policy show --name <backup-policy-name> --resource-group <resource-group-name> --vault-name <vault-name>Replace
<backup-policy-name>,<resource-group-name>and<vault-name>with the actual names of your backup policy, resource group and vault respectively. -
Check the
retentionPolicyobject in the output to see the current retention period. -
Run the following command to update the retention period to the desired value:
az backup policy set --name <backup-policy-name> --resource-group <resource-group-name> --vault-name <vault-name> --retention-days <number-of-days>Replace
<backup-policy-name>,<resource-group-name>,<vault-name>and<number-of-days>with the actual names of your backup policy, resource group, vault and the desired number of retention days respectively. -
Verify that the retention period has been updated by running the command in step 2 again and checking the
retentionPolicyobject in the output. -
Repeat steps 2-5 for all backup policies in your Azure environment to ensure that all backups have sufficient retention periods.
By following these steps, you can remediate the misconfiguration of insufficient backup retention period in AZURE using AZURE CLI.
To remediate the misconfiguration of insufficient backup retention period in Azure using Python, you can follow the below steps:
- Import the required libraries for Azure authentication and management:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.recoveryservicesbackup import RecoveryServicesBackupClient
from azure.mgmt.recoveryservicesbackup.models import ProtectionPolicyResource
- Authenticate with Azure using Service Principal credentials:
credentials = ServicePrincipalCredentials(
client_id='<client-id>',
secret='<client-secret>',
tenant='<tenant-id>'
)
- Instantiate a
RecoveryServicesBackupClientobject using the credentials:
client = RecoveryServicesBackupClient(credentials, '<subscription-id>')
- Get the list of backup protection policies:
policies = client.protection_policies.list('<resource-group-name>', '<vault-name>')
- For each policy, check if the retention period is sufficient:
for policy in policies:
if policy.backup_management_type == 'AzureIaasVM':
if policy.recovery_points_retention_period == 30:
policy.recovery_points_retention_period = 60
client.protection_policies.create_or_update('<resource-group-name>', '<vault-name>', policy.name, policy)
- If the retention period is not sufficient (in this case, 30 days), update the policy with a new retention period (in this case, 60 days):
policy.recovery_points_retention_period = 60
client.protection_policies.create_or_update('<resource-group-name>', '<vault-name>', policy.name, policy)
- Save the updated policy:
client.protection_policies.create_or_update('<resource-group-name>', '<vault-name>', policy.name, policy)
By following these steps, you can remediate the misconfiguration of insufficient backup retention period in Azure using Python.