Beta - Backup Vault Without Immutability
- Query id: 7a0164a5-ec6e-40b2-938d-ab3edfd37dcd
- Query name: Beta - Backup Vault Without Immutability
- Platform: Terraform
- Severity: High
- Category: Backup
- CWE: 754
- Risk score: 6.0
- URL: Github
Description¶
No 'azurerm_data_protection_backup_vault' resource should set 'immutability' to 'Disabled'. By locking the setting, malicious actors are prevented from disabling the setting and deleting backups.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_data_protection_backup_vault" "positive1" {
name = "positive1-backup-vault"
resource_group_name = azurerm_resource_group.positive1.name
location = azurerm_resource_group.positive1.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
# missing immutability - defaults to Disabled
}
resource "azurerm_data_protection_backup_vault" "positive2" {
name = "positive2-backup-vault"
resource_group_name = azurerm_resource_group.positive2.name
location = azurerm_resource_group.positive2.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
immutability = "Disabled"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_data_protection_backup_vault" "negative1" {
name = "negative1-backup-vault"
resource_group_name = azurerm_resource_group.negative1.name
location = azurerm_resource_group.negative1.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
immutability = "Unlocked"
}
resource "azurerm_data_protection_backup_vault" "negative2" {
name = "negative2-backup-vault"
resource_group_name = azurerm_resource_group.negative2.name
location = azurerm_resource_group.negative2.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
immutability = "Locked"
}