Skip to content

Use blob soft delete#

Reliability · Storage Account · Rule · 2020_06 · Important

Enable blob soft delete on Storage Accounts.

Description#

Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.

Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:

  • Implementing role-based access control (RBAC).
  • Configuring resource locks to protect against deletion.
  • Configuring blob container soft delete.

Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.

Recommendation#

Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.
Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts/blobServices",
      "apiVersion": "2023-01-01",
      "name": "[format('{0}/{1}', parameters('name'), 'default')]",
      "properties": {
        "deleteRetentionPolicy": {
          "enabled": true,
          "days": 7
        },
        "containerDeleteRetentionPolicy": {
          "enabled": true,
          "days": 7
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
      ]
    }
  ]
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
  parent: storageAccount
  name: 'default'
  properties: {
    deleteRetentionPolicy: {
      enabled: true
      days: 7
    }
    containerDeleteRetentionPolicy: {
      enabled: true
      days: 7
    }
  }
}

Configure with Azure CLI#

Azure CLI snippet
az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell#

Azure PowerShell snippet
Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7

Notes#

Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

Storage accounts with:

  • Hierarchical namespace enabled to not support blob soft delete.
  • Deployed as a FileStorage storage account do not support blob soft delete.

Comments