Beta - Containers Without Soft Delete

  • Query id: 12ecec8a-7961-48db-b644-86be8845d8fd
  • Query name: Beta - Containers Without Soft Delete
  • Platform: Terraform
  • Severity: High
  • Category: Backup
  • CWE: 754
  • Risk score: 6.0
  • URL: Github

Description

All 'azurerm_storage_account' resources should define a 'container_delete_retention_policy' block for their 'blob_properties' to allow data recovery
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_storage_account" "positive1" {
  name                     = "positive1"
  resource_group_name      = azurerm_resource_group.positive1.name
  location                 = azurerm_resource_group.positive1.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  # missing "blob_properties"
}

resource "azurerm_storage_account" "positive2" {
  name                     = "positive2"
  resource_group_name      = azurerm_resource_group.positive2.name
  location                 = azurerm_resource_group.positive2.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  blob_properties {
    # missing "container_delete_retention_policy"
  }
}

resource "azurerm_storage_account" "positive3" {
  name                     = "positive3"
  resource_group_name      = azurerm_resource_group.positive3.name
  location                 = azurerm_resource_group.positive3.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  blob_properties {
    container_delete_retention_policy {
      days = 5                            # lower than minimum value (7)
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_storage_account" "negative1" {
  name                     = "negative1"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  blob_properties {
    container_delete_retention_policy {
      days = 49
    }
  }
}

resource "azurerm_storage_account" "negative2" {
  name                     = "negative2"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  blob_properties {
    container_delete_retention_policy {} # defaults to 7 days
  }
}