Azure Introduction
Azure Pricing
Azure Threats
Enable Immutable Blob Storage
More Info:
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of enabling Immutable Blob Storage in Azure, you can follow the below steps:
- Login to Azure portal (https://portal.azure.com/)
- Navigate to the Storage Account where you want to enable Immutable Blob Storage.
- Click on the “Configuration” tab from the left-hand side menu.
- Scroll down to the “Data Protection” section and click on the “Immutability policies” option.
- Click on the ”+ Add” button to create a new Immutability policy.
- In the “Create Immutability Policy” blade, provide the following details:
- Name: A unique name for the policy
- Description: A brief description of the policy
- Immutability Period: The number of days for which the blobs should be kept immutable
- Allow Permanently Delete: Whether to allow permanently deleting the blobs during the immutability period
- Allow Rehydrate: Whether to allow rehydrating the blobs during the immutability period
- Click on the “Review + create” button to review the policy details.
- Once you have reviewed the details, click on the “Create” button to create the Immutability policy.
With these steps, you have successfully enabled Immutable Blob Storage in Azure for the selected Storage Account.
To remediate the “Enable Immutable Blob Storage” misconfiguration for Azure using Azure CLI, follow these steps:
-
Open the Azure CLI on your computer.
-
Log in to your Azure account using the following command:
az login -
Once you are logged in, select the Azure subscription that contains the storage account that you want to remediate using the following command:
az account set --subscription <subscription_id> -
Get the resource ID of the storage account that you want to remediate using the following command:
az storage account show --name <storage_account_name> --resource-group <resource_group_name> --query id --output tsv -
Enable the immutable blob storage for the storage account using the following command:
az storage account update --name <storage_account_name> --resource-group <resource_group_name> --set properties.supportsHttpsTrafficOnly=true properties.preventEncryptionScopeOverride=trueThis command sets the “supportsHttpsTrafficOnly” and “preventEncryptionScopeOverride” properties to “true”, which enables immutable blob storage.
-
Verify that the immutable blob storage has been enabled for the storage account by running the following command:
az storage account show --name <storage_account_name> --resource-group <resource_group_name> --query properties.supportsHttpsTrafficOnlyIf the command returns “true”, then immutable blob storage has been enabled successfully.
That’s it! You have successfully remediated the “Enable Immutable Blob Storage” misconfiguration for Azure using Azure CLI.
To remediate the misconfiguration “Enable Immutable Blob Storage” in Azure using Python, you can follow these steps:
- Install the Azure Blob Storage SDK for Python by running the following command in your terminal:
pip install azure-storage-blob
- Import the necessary modules:
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient, __version__
- Authenticate with your Azure account by providing the connection string. You can obtain the connection string from the Azure Portal, under the “Access keys” section of your storage account.
connect_str = '<your_connection_string>'
blob_service_client = BlobServiceClient.from_connection_string(connect_str)
- Choose the container that you want to enable immutable blob storage for:
container_name = '<your_container_name>'
container_client = blob_service_client.get_container_client(container_name)
- Set the immutable policy on the container:
retention_days = 365
container_client.set_immutable_policy(immutability_period_in_days=retention_days)
This will enable immutable blob storage on the specified container for the specified retention period. Any attempt to modify or delete a blob within this period will result in an error.
Note: Immutable blob storage is only available for the Azure Blob Storage tier, not for the Azure Data Lake Storage Gen2 tier.