Azure Blob Immutable Storage Not Enabled
ID: azure-blob-immutable-not-enabled
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,azure-blob-storage,azure-cloud-config
Description
Section titled “Description”Ensure that Immutable Blob Storage feature is enabled for Microsoft Azure Storage blob containers that hold sensitive and business-critical information. Immutable Blob Storage enables you to store critical, production data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified time interval. Azure blob objects can be created and read, but not modified or deleted, for the duration of the retention interval configured. The feature supports two types of policies that you can apply to a container for retaining the data within the specified container in a non-modifiable and delete-protected state.
YAML Source
Section titled “YAML Source”id: azure-blob-immutable-not-enabledinfo: name: Azure Blob Immutable Storage Not Enabled author: princechaddha severity: high description: | Ensure that Immutable Blob Storage feature is enabled for Microsoft Azure Storage blob containers that hold sensitive and business-critical information. Immutable Blob Storage enables you to store critical, production data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified time interval. Azure blob objects can be created and read, but not modified or deleted, for the duration of the retention interval configured. The feature supports two types of policies that you can apply to a container for retaining the data within the specified container in a non-modifiable and delete-protected state. impact: | Failure to enable Immutable Blob Storage can result in critical data being modified or deleted, which could lead to regulatory compliance issues and potential data loss. remediation: | Apply an appropriate time-based immutability policy or a legal hold policy to your Azure Storage blob containers to protect sensitive and business-critical data from being modified or deleted. reference: - https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-storage tags: cloud,devops,azure,microsoft,azure-blob-storage,azure-cloud-config
flow: | code(1); for (let AccountData of iterate(template.accountList)) { AccountData = JSON.parse(AccountData); set("name", AccountData.Name); code(2); let containerList = template.code_2_response; let ContainerData = JSON.parse(containerList); ContainerData.forEach(container => { set("currentContainer", JSON.stringify(container)); javascript(1); }); }
self-contained: truecode: - engine: - sh - bash source: | az storage account list --query '[*].{"Name":name}'
extractors: - type: json name: accountList internal: true json: - '.[]'
- engine: - sh - bash source: | az storage container list --account-name "$name" --query '[*].{"ContainerName":name, "TimeBasedRetentionPolicy":properties.hasImmutabilityPolicy, "LegalHoldPolicy": properties.hasLegalHold}'
javascript: - code: | let container = JSON.parse(template.currentContainer); if (!container.TimeBasedRetentionPolicy && !container.LegalHoldPolicy) { let result = `Blob container '${container.ContainerName}' in account '${template.name}' does not have Immutable Blob Storage enabled.`; Export(result); } extractors: - type: dsl dsl: - response# digest: 4a0a004730450221008238a65d5a0f07792f5e75c01d2b12172865284634587fd4654015fe85fed0b30220731daff88762d3a5ee80c00576bf4ede511d06fd31f784891b0d7a91b04e0f5d:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/storageaccounts/azure-blob-immutable-not-enabled.yaml"