Skip to content

Immutability#

Security · Backup Vault · Rule · 2023_09 · Important

Ensure immutability is configured to protect backup data.

Description#

Immutability is supported for Backup vaults by configuring the Immutable vault setting.

Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.

The Immutable vault setting is not enabled per default.

Recommendation#

Consider configuring immutability to protect backup data from accidental or malicious deletion.

Examples#

Configure with Azure template#

To deploy Backup vaults that pass this rule:

  • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

For example:

Azure Template snippet
{
  "type": "Microsoft.DataProtection/backupVaults",
  "apiVersion": "2022-11-01-preview",
  "name": "[parameters('vaultName')]",
  "location": "[parameters('location')]",
  "properties": {
    "securitySettings": {
      "immutabilitySettings": {
        "state": "Locked"
      }
    }
  }
}

Configure with Bicep#

To deploy Backup vaults that pass this rule:

  • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

For example:

Azure Bicep snippet
resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {
  name: vaultName
  location: location
  properties: {
    securitySettings: {
      immutabilitySettings: {
        state: 'Locked'
      }
    }
  }
}

Notes#

Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using Locked. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.

Comments