- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
- Bulk restore deleted Azure AD users - Wed, Dec 29 2021
Especially for financial institutions, legal services, and organizations operating in the healthcare and insurance industries, it is crucial to store data securely for a specific period in accordance with certain regulations. Thus, they are required to protect all of their business-related data against any kind of modification or deletion for a certain time. After enabling this feature, any user (including those with admin privileges) can't modify or delete data.
With Azure storage accounts (general purpose v2 and Blob storage only), organizations can now either enable Legal holds or Time-based retention or both.
Azure Blob storage supports two types of immutable storage policies.
This type of policy ensures immutable data storage for a specified interval of time.
In case the retention interval is not clear, organizations can configure legal holds to store data immutably. Users can clear legal holds to release the restriction at any time. Legal hold policies must be associated with at least one or more tags to identify the resource.
Users can also apply both time-based retention policies and legal holds at the container level. Then the assigned policies automatically affect all new and existing blobs in the container.
You must lock time-based retention policies for the blob to be in an immutable state. Once locked, even administrators cannot unlock or delete the policies until the retention period is over. You can extend the retention interval at any time but cannot decrease it. So if you want to test this feature, I strongly recommend not locking it for a long time.
Here are some limitations of immutable storage:
- The minimum retention interval for time-based retention policies is one day; the maximum value is 400 years or 146,000 days.
- The maximum number of containers in a single storage account with locked immutable policies is 1,000.
- The maximum number of containers in a single storage account with legal hold settings is 1,000.
Creating required resources ^
First, we need to make sure we've installed an appropriate Azure Resource Manager module. Otherwise, you can use the following command to install it:
Install-Module PowerShellGet –Repository PSGallery ‑Force Install-Module -Name AzureRM.Storage -AllowPrerelease -Repository PSGallery ‑AllowClobber –Force
To enable and configure immutable storage features, we first need to create a new storage account with a general purpose v2 or Blob type, or use an existing one that is compliant.
$ResourceGroupName = "Immutable-Storage-Test-00" $StorageAccountName = "immutablestorage00" $containerName01 = "storagecontainer01" $containerName02 = "storagecontainer02" $location = "WestEurope" New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -SkuName Standard_LRS ` -Location $location ` -Kind StorageV2
Now we can create two containers in the storage account with the following commands:
New-AzureRmStorageContainer ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -Name $containerName01 New-AzureRmStorageContainer ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -Name $containerName02
Legal hold operations ^
Now we can apply a legal hold policy to "storagecontainer01" using the command below:
Add-AzureRmStorageContainerLegalHold ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -Name $containerName01 -Tag sampletag
So when we try to remove this storage container, the following error occurs, and the attempt to delete the resources fails:
Remove-AzureRmStorageContainer : The storage account immutablestorage00 container storagecontainer01 is protected from deletion due to LegalHold.
To remove a legal hold from a container, use the following command:
Remove-AzureRmStorageContainerLegalHold ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -Name $containerName01 -Tag sampletag
Immutable storage operations ^
This concerns immutability policies (time-based retention). To set an immutability policy over a container, use the command below:
Set-AzureRmStorageContainerImmutabilityPolicy ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -ContainerName $containerName02 ` -ImmutabilityPeriod 5
The above command now protects the container against update and delete operations.
Note that this sets the "state" of the container as "Unlocked" now. Even though users are not able to modify or delete any blobs in this container, the admin users are still able to remove this immutability setting from there since it is not "Locked" yet.
Let's try to delete a blob in a container protected by an immutable policy:
$ctx=New-AzureStorageContext ` -StorageAccountName $StorageAccountName ` -StorageAccountKey "[YOURSTORAGACCOUNTKEY]” Remove-AzureStorageBlob -Container $containername02 -Blob "app1.txt" -Context $ctx
$policy = Get-AzureRmStorageContainerImmutabilityPolicy ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -ContainerName $containerName01 Lock-AzureRmStorageContainerImmutabilityPolicy -ImmutabilityPolicy $policy -force
Now we've locked the immutability policy on the container. This means, for one day, nobody will be able to modify or remove this container without any exception.
When we try to remove the container, we get the following error:
Even if we tried to remove the entire storage account, the result would be the same:
As general data protection rules are already in place, protecting sensitive data has become more important than ever. With this in mind, the immutable storage feature of storage accounts in Azure provides a simple yet effective solution to organizations that need to protect data in a compliant way.