More Info:

Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of not having Soft Delete enabled for Azure Blob Storage, you can follow the below steps using the Azure console:
  1. Open the Azure portal and navigate to the storage account that needs to be updated.
  2. Click on the “Configuration” tab in the left-hand menu.
  3. Scroll down to the “Blob service” section and click on “Data protection”.
  4. Under “Soft delete”, toggle the switch to “Enabled”.
  5. Set the “Retention period” to the desired number of days for which you want to retain the deleted data.
  6. Click on “Save” to apply the changes.
After following these steps, Soft Delete will be enabled for your Azure Blob Storage and any deleted data will be retained for the specified retention period.

To enable Soft Delete for Azure Blob Storage using Azure CLI, follow these steps:
  1. Open Azure CLI on your local machine or use the Azure Cloud Shell.
  2. Login to your Azure account using the following command: 
    az login
  3. Once you are logged in, set the subscription where the storage account is located using the following command: 
    az account set --subscription <subscription_id>
    Replace <subscription_id> with the ID of your subscription.
  4. Next, get the resource ID of the storage account for which you want to enable Soft Delete using the following command: 
    az storage account show -n <storage_account_name> -g <resource_group_name> --query id --output tsv
    Replace <storage_account_name> with the name of your storage account and <resource_group_name> with the name of the resource group where the storage account is located.
  5. Once you have the resource ID, enable Soft Delete for the storage account using the following command: 
    az resource update --ids <resource_id> --set properties.enableSoftDelete=true
    Replace <resource_id> with the resource ID you obtained in step 4.
  6. Verify that Soft Delete has been enabled by running the following command: 
    az storage account show -n <storage_account_name> -g <resource_group_name> --query properties.enableSoftDelete
    Replace <storage_account_name> with the name of your storage account and <resource_group_name> with the name of the resource group where the storage account is located.
That’s it! Soft Delete has been enabled for your Azure Blob Storage.
To enable soft delete for Azure Blob Storage using Python, you can follow these steps:
  1. Import the necessary libraries:
from azure.storage.blob import BlobServiceClient, BlobSasPermissions, generate_blob_sas
from datetime import datetime, timedelta
  1. Set up the connection to your Azure Blob Storage account:
connection_string = "DefaultEndpointsProtocol=https;AccountName=<your_account_name>;AccountKey=<your_account_key>;EndpointSuffix=core.windows.net"
blob_service_client = BlobServiceClient.from_connection_string(connection_string)
  1. Retrieve the Blob Container for which you want to enable soft delete:
container_client = blob_service_client.get_container_client("<your_container_name>")
  1. Check if the container has soft delete enabled:
properties = container_client.get_container_properties()
if not properties.is_deleted_enabled:
    # Enable soft delete
    container_client.set_container_properties(deleted_retention_days=7, is_deleted_enabled=True)
  1. Save the changes:
container_client.set_container_metadata(metadata={"SoftDeleteEnabled": "True"})
  1. Verify that soft delete is enabled:
properties = container_client.get_container_properties()
if properties.is_deleted_enabled:
    print("Soft delete is enabled.")
else:
    print("Soft delete is not enabled.")
Note: Replace <your_account_name> and <your_account_key> with your Azure Blob Storage account name and account key, respectively. Also, replace <your_container_name> with the name of the container for which you want to enable soft delete.