Beta - Recovery Services Vault Without Immutability

• Query id: 0af1814d-23d7-472e-a1b8-b265e7b0d88f
• Query name: Beta - Recovery Services Vault Without Immutability
• Platform: Terraform
• Severity: High
• Category: Backup
• CWE: 754
• Risk score: 6.0
• URL: Github

Description

No 'azurerm_recovery_services_vault' resource should set 'immutability' to 'Disabled'. By locking the setting, malicious actors are prevented from disabling the setting and deleting backups.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_recovery_services_vault" "positive1" {
  name                = "positive1-recovery-vault"
  location            = azurerm_resource_group.positive1.location
  resource_group_name = azurerm_resource_group.positive1.name
  sku                 = "Standard"

  # "immutability " missing - defaults to Disabled
}

resource "azurerm_recovery_services_vault" "positive2" {
  name                = "positive2-recovery-vault"
  location            = azurerm_resource_group.positive2.location
  resource_group_name = azurerm_resource_group.positive2.name
  sku                 = "Standard"

  immutability  = "Disabled"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_recovery_services_vault" "negative1" {
  name                = "negative1-recovery-vault"
  location            = azurerm_resource_group.negative1.location
  resource_group_name = azurerm_resource_group.negative1.name
  sku                 = "Standard"

  immutability  = "Locked"
}

resource "azurerm_recovery_services_vault" "negative2" {
  name                = "negative2-recovery-vault"
  location            = azurerm_resource_group.negative2.location
  resource_group_name = azurerm_resource_group.negative2.name
  sku                 = "Standard"

  immutability  = "Unlocked"
}