Azure Storage account soft delete is disabled
Description
This policy is checking to see if the soft-delete feature is enabled on Azure storage accounts. It's important to have soft-delete enabled because it provides a safeguard against accidental deletion of data. It keeps deleted data available for recovery for a certain period, preventing any loss due to human error, programmatic errors, or malicious activities. Without this feature, deleted data is irretrievable, potentially causing data loss which can have severe consequences for businesses.
Code Example
hcl
resource "azurerm_storage_account" "example" {
name = "examplestoracc"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
blob_properties {
delete_retention_policy {
days = 7
}
}
}Remediation
Terraform
- Resource: azurerm_storage_account
- Arguments: blob_properties.delete_retention_policy.days, blob_properties.delete_retention_policy, account_kind
To fix this issue, you need to enable the soft-delete option in the configuration of your Azure storage account.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0795 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_38 |