Beta - Blob Storage Without Soft Delete
- Query id: 056d28cc-7ee9-4b12-b2d1-16b7b66db72d
- Query name: Beta - Blob Storage Without Soft Delete
- Platform: Terraform
- Severity: High
- Category: Backup
- CWE: 754
- Risk score: 6.0
- URL: Github
Description¶
All 'azurerm_storage_account' resources should define a 'delete_retention_policy' block for their 'blob_properties' to allow data recovery
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_storage_account" "positive1" {
name = "positive1"
resource_group_name = azurerm_resource_group.positive1.name
location = azurerm_resource_group.positive1.location
account_tier = "Standard"
account_replication_type = "GRS"
# missing "blob_properties"
}
resource "azurerm_storage_account" "positive2" {
name = "positive2"
resource_group_name = azurerm_resource_group.positive2.name
location = azurerm_resource_group.positive2.location
account_tier = "Standard"
account_replication_type = "GRS"
blob_properties {
# missing "delete_retention_policy"
}
}
resource "azurerm_storage_account" "positive3" {
name = "positive3"
resource_group_name = azurerm_resource_group.positive3.name
location = azurerm_resource_group.positive3.location
account_tier = "Standard"
account_replication_type = "GRS"
blob_properties {
delete_retention_policy {
days = 5 # lower than minimum value (7)
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_storage_account" "negative1" {
name = "negative1"
resource_group_name = "testRG"
location = "northeurope"
account_tier = "Premium"
account_replication_type = "LRS"
account_kind = "FileStorage"
blob_properties {
delete_retention_policy {
days = 49
}
}
}
resource "azurerm_storage_account" "negative2" {
name = "negative2"
resource_group_name = "testRG"
location = "northeurope"
account_tier = "Premium"
account_replication_type = "LRS"
account_kind = "FileStorage"
blob_properties {
delete_retention_policy {} # defaults to 7 days
}
}