Immutability
March 21, 2025 ยท View on GitHub
SYNOPSIS
Ensure immutability is configured to protect backup data.
DESCRIPTION
Immutability is supported for Backup vaults by configuring the Immutable vault setting.
Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.
For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.
The Immutable vault setting is not enabled per default.
RECOMMENDATION
Consider configuring immutability to protect backup data from accidental or malicious deletion.
EXAMPLES
Configure with Azure template
To deploy Backup vaults that pass this rule:
- Set
properties.securitySettings.immutabilitySettings.statetoUnlockedorLocked.
For example:
{
"type": "Microsoft.DataProtection/backupVaults",
"apiVersion": "2022-11-01-preview",
"name": "[parameters('vaultName')]",
"location": "[parameters('location')]",
"properties": {
"securitySettings": {
"immutabilitySettings": {
"state": "Locked"
}
}
}
}
Configure with Bicep
To deploy Backup vaults that pass this rule:
- Set
properties.securitySettings.immutabilitySettings.statetoUnlockedorLocked.
For example:
resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {
name: vaultName
location: location
properties: {
securitySettings: {
immutabilitySettings: {
state: 'Locked'
}
}
}
}
NOTES
Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock.
For example, for vaults containing production workloads consider using Locked.
For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.