More Info:
Ensure that your Microsoft Azure virtual machines (VMs) have a sufficient daily backup retention period configured within the associated backup policy for security and compliance purposes. The maximum retention period supported is 30 days.Risk Level
LowAddress
Reliability, SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using the AZURE console, you can follow the below steps:
- Log in to your Azure portal (https://portal.azure.com/).
- Navigate to the Virtual Machines service.
- Select the virtual machine that you want to configure the backup retention period for.
- Under the “Operations” section, click on “Backup” to open the “Backup” blade.
- In the “Backup” blade, click on “Backup policy” to open the “Backup policy” blade.
- In the “Backup policy” blade, click on “Edit” to modify the backup policy.
- In the “Backup policy” blade, select the appropriate backup policy that meets your retention period requirements. You can either select an existing policy or create a new one.
- Once you have selected the policy, click on “Save” to apply the changes to the backup policy.
Using CLI
Using CLI
To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using AZURE CLI, follow these steps:
-
Open the AZURE CLI and log in to your account using the command
az login
. -
Once you are logged in, run the command
az vm list --query "[].{name:name, resourceGroup:resourceGroup, backup:provisioningState}"
to list all the virtual machines and their backup status. - Identify the virtual machine that has insufficient daily backup retention period.
-
Run the command
az backup protection enable-for-vm --resource-group <resource-group-name> --vault-name <vault-name> --vm <vm-name> --policy-name <policy-name>
to enable backup protection for the virtual machine.
<resource-group-name>
, <vault-name>
, <vm-name>
, and <policy-name>
with the appropriate values.-
After enabling backup protection, run the command
az backup policy list --vault-name <vault-name> --query "[].{name:name, backupSchedule:backupSchedule}"
to list all the backup policies and their backup schedules. - Identify the backup policy that has the required daily backup retention period.
-
Run the command
az backup protection backup-now --resource-group <resource-group-name> --vault-name <vault-name> --container-name <container-name> --item-name <item-name> --retain-until <date-time>
to initiate a backup for the virtual machine.
<resource-group-name>
, <vault-name>
, <container-name>
, <item-name>
, and <date-time>
with the appropriate values.-
After initiating the backup, verify that the backup has been completed successfully by running the command
az backup job list --vault-name <vault-name> --query "[].{name:name, status:status}"
. -
Finally, run the command
az backup policy set --vault-name <vault-name> --name <policy-name> --backup-schedule '{"scheduleFrequencyInMins":1440,"retentionPolicy":{"dailySchedule":{"retentionDuration":{"count":<count>,"durationType":"Days"}}}}'
to set the backup policy with the required daily backup retention period.
<vault-name>
, <policy-name>
, and <count>
with the appropriate values.By following these steps, you can remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using AZURE CLI.Using Python
Using Python
To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using pip command.Step 2: Import the required libraries and authenticate the credentials.Step 3: Get the list of virtual machines that are not having the sufficient daily backup retention period.Step 4: Save the Python script and run it to remediate the misconfiguration.Note: Replace the
your_subscription_id
, your_client_id
, your_secret
, your_tenant
, and your_vault_name
with your Azure subscription details. Also, make sure to provide the appropriate permissions to the Service Principal used for authentication.