More Info:

Ensure that your Microsoft Azure virtual machines (VMs) have a sufficient daily backup retention period configured within the associated backup policy for security and compliance purposes. The maximum retention period supported is 30 days.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using the AZURE console, you can follow the below steps:
  1. Log in to your Azure portal (https://portal.azure.com/).
  2. Navigate to the Virtual Machines service.
  3. Select the virtual machine that you want to configure the backup retention period for.
  4. Under the “Operations” section, click on “Backup” to open the “Backup” blade.
  5. In the “Backup” blade, click on “Backup policy” to open the “Backup policy” blade.
  6. In the “Backup policy” blade, click on “Edit” to modify the backup policy.
  7. In the “Backup policy” blade, select the appropriate backup policy that meets your retention period requirements. You can either select an existing policy or create a new one.
  8. Once you have selected the policy, click on “Save” to apply the changes to the backup policy.
By following the above steps, you can remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using the AZURE console.

To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI and log in to your account using the command az login.
  2. Once you are logged in, run the command az vm list --query "[].{name:name, resourceGroup:resourceGroup, backup:provisioningState}" to list all the virtual machines and their backup status.
  3. Identify the virtual machine that has insufficient daily backup retention period.
  4. Run the command az backup protection enable-for-vm --resource-group <resource-group-name> --vault-name <vault-name> --vm <vm-name> --policy-name <policy-name> to enable backup protection for the virtual machine.
Note: Replace <resource-group-name>, <vault-name>, <vm-name>, and <policy-name> with the appropriate values.
  1. After enabling backup protection, run the command az backup policy list --vault-name <vault-name> --query "[].{name:name, backupSchedule:backupSchedule}" to list all the backup policies and their backup schedules.
  2. Identify the backup policy that has the required daily backup retention period.
  3. Run the command az backup protection backup-now --resource-group <resource-group-name> --vault-name <vault-name> --container-name <container-name> --item-name <item-name> --retain-until <date-time> to initiate a backup for the virtual machine.
Note: Replace <resource-group-name>, <vault-name>, <container-name>, <item-name>, and <date-time> with the appropriate values.
  1. After initiating the backup, verify that the backup has been completed successfully by running the command az backup job list --vault-name <vault-name> --query "[].{name:name, status:status}".
  2. Finally, run the command az backup policy set --vault-name <vault-name> --name <policy-name> --backup-schedule '{"scheduleFrequencyInMins":1440,"retentionPolicy":{"dailySchedule":{"retentionDuration":{"count":<count>,"durationType":"Days"}}}}' to set the backup policy with the required daily backup retention period.
Note: Replace <vault-name>, <policy-name>, and <count> with the appropriate values.By following these steps, you can remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” for AZURE using AZURE CLI.
To remediate the misconfiguration “Virtual Machines Should Have Sufficient Daily Backup Retention Period” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using pip command.
pip install azure
Step 2: Import the required libraries and authenticate the credentials.
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.storage import StorageManagementClient

# Authentication
subscription_id = 'your_subscription_id'
credentials = ServicePrincipalCredentials(
    client_id='your_client_id',
    secret='your_secret',
    tenant='your_tenant'
)

# Resource Management Client
resource_client = ResourceManagementClient(credentials, subscription_id)

# Compute Management Client
compute_client = ComputeManagementClient(credentials, subscription_id)

# Storage Management Client
storage_client = StorageManagementClient(credentials, subscription_id)
Step 3: Get the list of virtual machines that are not having the sufficient daily backup retention period.
# Get the list of virtual machines
vm_list = compute_client.virtual_machines.list_all()

# Iterate through each virtual machine
for vm in vm_list:
    # Get the backup policy of the virtual machine
    backup_policy = compute_client.virtual_machine_backup_policies.get(
        resource_group_name=vm.id.split('/')[4],
        vault_name='your_vault_name',
        vm_name=vm.name
    )

    # Check the daily backup retention period
    if backup_policy.backup_schedule.daily_retention_days < 7:
        # If retention period is less than 7 days, update the policy
        backup_policy.backup_schedule.daily_retention_days = 7
        compute_client.virtual_machine_backup_policies.create_or_update(
            resource_group_name=vm.id.split('/')[4],
            vault_name='your_vault_name',
            vm_name=vm.name,
            parameters=backup_policy
        )
Step 4: Save the Python script and run it to remediate the misconfiguration.Note: Replace the your_subscription_id, your_client_id, your_secret, your_tenant, and your_vault_name with your Azure subscription details. Also, make sure to provide the appropriate permissions to the Service Principal used for authentication.

Additional Reading: