Storage account has blob versioning enabled
storage_blob_versioning_is_enabled
Azure Storage accounts have blob versioning enabled (IsVersioningEnabled) to automatically retain previous versions of blobs created by updates or deletes
Risk
Without blob versioning:
- Integrity: overwrites can't be reverted
- Availability: deletes or ransomware remove usable copies
- Forensics: no immutable history for investigation and scoped recovery
Mistakes or compromised identities can cause irreversible object loss and wider impact.
prowler azure --checks storage_blob_versioning_is_enabled
Recommendation
Enable blob versioning for accounts holding critical data. Pair with blob soft delete and lifecycle rules to retain and age off versions. Enforce least privilege on write and version-delete actions, and monitor access. For high-churn data, isolate into separate accounts with tailored retention to balance security and cost.
Remediation
az storage account blob-service-properties update --resource-group <resource_group> --account-name <storage-account> --enable-versioning true
- In the Azure portal, go to Storage accounts and open your storage account
- Under Data management, select Data protection
- In Tracking, set Enable versioning for blobs to Enabled
- Click Save
Source Code
Resource Type
microsoft.storage/storageaccounts
References
- https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-overview
- https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-versioning-for-blobs.html
- https://learn.microsoft.com/en-us/azure/storage/blobs/versions-manage-dotnet