Azure Introduction
Azure Pricing
Azure Threats
Virtual Machines Should Have Backups
More Info:
Ensure that Azure Backup service is enabled and configured to create server backups for your Microsoft Azure virtual machines (VMs), in order to follow data security best practices and compliance requirements. Azure Backup service is a cost-effective, one-click backup solution, that simplifies virtual machine data recovery in your Azure cloud account.
Risk Level
Low
Address
Security
Compliance Standards
HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of virtual machines not having backups in AZURE using the AZURE console, follow these steps:
- Log in to the AZURE portal.
- In the left-hand menu, click on “Virtual machines”.
- Select the virtual machine that needs to be backed up.
- In the virtual machine overview page, click on “Backup” under “Operations”.
- In the “Backup” page, click on “Configure Backup”.
- In the “Backup policy” page, click on “Create a new policy”.
- In the “New policy” page, select the backup frequency, retention range, and other backup settings.
- Click on “OK” to create the backup policy.
- In the “Backup” page, click on “Enable Backup” to enable backup for the virtual machine.
- Review the backup policy and click on “OK”.
Once you have completed these steps, the virtual machine will be backed up according to the policy you have set up. You can also verify the backup status of the virtual machine by going to the “Backup” page and checking the backup status.
To remediate the misconfiguration “Virtual Machines Should Have Backups” for Azure using Azure CLI, follow the below steps:
-
Open the Azure CLI in your terminal or command prompt.
-
Login to your Azure account using the command below:
az login -
Once you are logged in, select the Azure subscription in which the virtual machines are present using the command below:
az account set --subscription <subscription_id>Replace
<subscription_id>with the ID of your Azure subscription. -
To enable backups for a virtual machine, use the following command:
az backup enable-for-vm --resource-group <resource_group_name> --vault-name <vault_name> --name <vm_name>Replace
<resource_group_name>with the name of the resource group in which the virtual machine is present,<vault_name>with the name of the backup vault in which the backups will be stored, and<vm_name>with the name of the virtual machine for which you want to enable backups. -
Once the backups are enabled, you can configure the backup policy for the virtual machine using the following command:
az backup policy set --policy-name <policy_name> --resource-group <resource_group_name> --vault-name <vault_name> --backup-management-type AzureIaasVM --item-name <vm_name>Replace
<policy_name>with the name of the backup policy that you want to apply,<resource_group_name>with the name of the resource group in which the virtual machine is present,<vault_name>with the name of the backup vault in which the backups will be stored, and<vm_name>with the name of the virtual machine for which you want to configure the backup policy. -
After the backup policy is set, you can trigger the backup of the virtual machine using the following command:
az backup protection enable-for-vm --resource-group <resource_group_name> --vault-name <vault_name> --policy-name <policy_name> --vm-name <vm_name>Replace
<resource_group_name>with the name of the resource group in which the virtual machine is present,<vault_name>with the name of the backup vault in which the backups will be stored,<policy_name>with the name of the backup policy that you have configured, and<vm_name>with the name of the virtual machine for which you want to trigger the backup. -
Once the backup is completed, you can verify the backup status of the virtual machine using the following command:
az backup job list --resource-group <resource_group_name> --vault-name <vault_name> --output tableReplace
<resource_group_name>with the name of the resource group in which the virtual machine is present, and<vault_name>with the name of the backup vault in which the backups are stored.
By following the above steps, you can remediate the misconfiguration “Virtual Machines Should Have Backups” for Azure using Azure CLI.
To remediate the misconfiguration of virtual machines not having backups in Azure using Python, follow these steps:
- Import the necessary modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.recoveryservices import RecoveryServicesClient
from azure.mgmt.recoveryservicesbackup import RecoveryServicesBackupClient
from azure.mgmt.recoveryservicesbackup.models import BackupRequestResource, BackupRequest, BackupRequestProperties, BackupRequestHeaders, BackupRequestVaultIdentity
from azure.mgmt.recoveryservicesbackup.models import BackupRequestResourceGroupDetails, BackupRequestResourceDetails, BackupRequestResourceOptions, BackupRequestResourceItem
from azure.mgmt.recoveryservicesbackup.models import BackupRequestResourceConfigDetails, BackupRequestResourceConfigDetailsDisk, BackupRequestResourceConfigDetailsFileFolder
- Authenticate to Azure using Service Principal credentials:
# Set the Azure credentials
subscription_id = 'your-subscription-id'
client_id = 'your-client-id'
client_secret = 'your-client-secret'
tenant_id = 'your-tenant-id'
# Authenticate to Azure
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
- Create a Compute Management Client and a Recovery Services Backup Client:
# Create a Compute Management Client
compute_client = ComputeManagementClient(credentials, subscription_id)
# Create a Recovery Services Backup Client
backup_client = RecoveryServicesBackupClient(credentials, subscription_id)
- Get the list of virtual machines in the Azure subscription:
# Get the list of virtual machines
vm_list = compute_client.virtual_machines.list_all()
- For each virtual machine, check if it has a backup policy assigned. If not, create a backup policy and associate it with the virtual machine:
# For each virtual machine, check if it has a backup policy assigned
for vm in vm_list:
# Get the backup policy for the virtual machine
backup_policy = backup_client.backup_policies.get(
vm.id,
"DefaultPolicy"
)
# If the virtual machine does not have a backup policy assigned, create one and associate it with the virtual machine
if backup_policy is None:
# Create a backup policy
backup_policy = backup_client.backup_policies.create_or_update(
vm.id,
"DefaultPolicy",
{
"policyType": "Simple",
"schedulePolicy": {
"scheduleRunFrequency": "Daily",
"scheduleRunDays": [
"Monday",
"Tuesday",
"Wednesday",
"Thursday",
"Friday",
"Saturday",
"Sunday"
],
"scheduleRunTimes": [
"00:00"
]
},
"retentionPolicy": {
"retentionPolicyType": "LongTerm",
"retentionDuration": {
"count": 365,
"durationType": "Days"
}
}
}
)
# Associate the backup policy with the virtual machine
backup_client.protection_intent_items.create_or_update(
vm.id,
"DefaultPolicy",
{
"properties": {
"policyId": backup_policy.id
}
}
)
- Once the backup policy is assigned to the virtual machine, it will start taking backups automatically based on the schedule specified in the policy.
Note: This is just an example of how to remediate the misconfiguration of virtual machines not having backups in Azure using Python. The code may need to be modified based on your specific requirements and environment.