Beta - File Share Without Soft Delete

• Query id: 54087baa-8719-48a8-8460-9cc0962117aa
• Query name: Beta - File Share Without Soft Delete
• Platform: Terraform
• Severity: High
• Category: Backup
• CWE: 754
• Risk score: 6.0
• URL: Github

Description

All 'azurerm_storage_account' resources should define a 'retention_policy' block for their 'share_properties' to allow data recovery
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_storage_account" "positive1" {
  name                     = "positive1"
  resource_group_name      = azurerm_resource_group.positive1.name
  location                 = azurerm_resource_group.positive1.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  # missing "share_properties"
}

resource "azurerm_storage_account" "positive2" {
  name                     = "positive2"
  resource_group_name      = azurerm_resource_group.positive2.name
  location                 = azurerm_resource_group.positive2.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  share_properties {
    # missing "retention_policy"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_storage_account" "negative1" {
  name                     = "negative1"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  share_properties {
    retention_policy {
      days = 5
    }
  }
}

resource "azurerm_storage_account" "negative2" {
  name                     = "negative2"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  share_properties {
    retention_policy {} # defaults to 7 days
  }
}