Use blob soft delete#
Reliability · Storage Account · Rule · 2020_06 · Important
Enable blob soft delete on Storage Accounts.
Description#
Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.
Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:
- Implementing role-based access control (RBAC).
- Configuring resource locks to protect against deletion.
- Configuring blob container soft delete.
Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.
Recommendation#
Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon the blob services sub-resource. - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain blobs.
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2023-01-01",
"name": "[format('{0}/{1}', parameters('name'), 'default')]",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 7
},
"containerDeleteRetentionPolicy": {
"enabled": true,
"days": 7
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
]
}
]
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon the blob services sub-resource. - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain blobs.
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
parent: storageAccount
name: 'default'
properties: {
deleteRetentionPolicy: {
enabled: true
days: 7
}
containerDeleteRetentionPolicy: {
enabled: true
days: 7
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure CLI#
az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'
Configure with Azure PowerShell#
Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7
Notes#
Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded.
Storage accounts used for Cloud Shell are not intended to store data.
Storage accounts with:
- Hierarchical namespace enabled to not support blob soft delete.
- Deployed as a
FileStoragestorage account do not support blob soft delete.
Links#
- RE:04 Target metrics
- Storage Accounts and reliability
- Soft delete for Azure Storage blobs
- Blob storage features available in Azure Data Lake Storage Gen2
- Azure deployment reference