Beta - Backup Vault Without Soft Delete

• Query id: 8d407b28-c746-4650-8bbd-d27df54a795f
• Query name: Beta - Backup Vault Without Soft Delete
• Platform: Terraform
• Severity: High
• Category: Backup
• CWE: 754
• Risk score: 6.0
• URL: Github

Description

No 'azurerm_data_protection_backup_vault' resource should set 'soft_delete' to off, this makes it impossible to recover backup data
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_data_protection_backup_vault" "positive" {
  name                = "positive-backup-vault"
  resource_group_name = azurerm_resource_group.positive.name
  location            = azurerm_resource_group.positive.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  soft_delete = "off"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_data_protection_backup_vault" "negative1" {
  name                = "negative1-backup-vault"
  resource_group_name = azurerm_resource_group.negative1.name
  location            = azurerm_resource_group.negative1.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  # missing soft_delete - defaults to on
}

resource "azurerm_data_protection_backup_vault" "negative2" {
  name                = "negative2-backup-vault"
  resource_group_name = azurerm_resource_group.negative2.name
  location            = azurerm_resource_group.negative2.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  soft_delete = "on"
}

resource "azurerm_data_protection_backup_vault" "negative3" {
  name                = "negative3-backup-vault"
  resource_group_name = azurerm_resource_group.negative3.name
  location            = azurerm_resource_group.negative3.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  soft_delete = "AlwaysOn"
}