Reducing the backup retention duration can reduce an organization’s ability to re-establish service in case of a security incident.
Data backups allow to overcome corruption or unavailability of data by recovering as efficiently as possible from a security incident.
Backup retention duration, coverage, and backup locations are essential criteria regarding functional continuity.
Ask Yourself Whether
- This component is essential for the information system infrastructure.
- This component is essential for mission-critical functions.
- Compliance policies require this component to be backed up for a specific amount of time.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Increase the backup retention period to an amount of time sufficient enough to be able to restore service in case of an incident.
Sensitive Code Example
For Azure App
Service:
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'webApp'
}
resource backup 'config@2022-03-01' = {
name: 'backup'
parent: webApp
properties: {
backupSchedule: {
frequencyInterval: 1
frequencyUnit: 'Day'
keepAtLeastOneBackup: true
retentionPeriodInDays: 2 // Sensitive
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "webApp",
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "webApp/backup",
"properties": {
"backupSchedule": {
"frequencyInterval": 1,
"frequencyUnit": "Day",
"keepAtLeastOneBackup": true,
"retentionPeriodInDays": 2
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', 'webApp')]"
]
}
]
}
For Azure
Cosmos DB accounts:
resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
properties: {
backupPolicy: {
type: 'Periodic'
periodicModeProperties: {
backupIntervalInMinutes: 1440
backupRetentionIntervalInHours: 8 // Sensitive
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-04-15",
"properties": {
"backupPolicy": {
"type": "Periodic",
"periodicModeProperties": {
"backupIntervalInMinutes": 1440,
"backupRetentionIntervalInHours": 8
}
}
}
}
]
}
For Azure
Backup vault policies:
resource vault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
name: 'testVault'
resource backupPolicy 'backupPolicies@2023-01-01' = {
name: 'backupPolicy'
properties: {
backupManagementType: 'AzureSql'
retentionPolicy: {
retentionPolicyType: 'SimpleRetentionPolicy'
retentionDuration: {
count: 2 // Sensitive
durationType: 'Days'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"name": "testVault",
"resources": [
{
"type": "backupPolicies",
"apiVersion": "2023-01-01",
"name": "testVault/backupPolicy",
"properties": {
"backupManagementType": "AzureSql",
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 2,
"durationType": "Days"
}
}
}
}
]
}
]
}
Compliant Solution
For Azure App
Service:
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'webApp'
}
resource backup 'config@2022-03-01' = {
name: 'backup'
parent: webApp
properties: {
backupSchedule: {
frequencyInterval: 1
frequencyUnit: 'Day'
keepAtLeastOneBackup: true
retentionPeriodInDays: 8
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "webApp",
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "webApp/backup",
"properties": {
"backupSchedule": {
"frequencyInterval": 1,
"frequencyUnit": "Day",
"keepAtLeastOneBackup": true,
"retentionPeriodInDays": 30
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', 'webApp')]"
]
}
]
}
For Azure
Cosmos DB accounts:
resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
properties: {
backupPolicy: {
type: 'Periodic'
periodicModeProperties: {
backupIntervalInMinutes: 1440
backupRetentionIntervalInHours: 192
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-04-15",
"properties": {
"backupPolicy": {
"type": "Periodic",
"periodicModeProperties": {
"backupIntervalInMinutes": 1440,
"backupRetentionIntervalInHours": 720
}
}
}
}
]
}
For Azure
Backup vault policies:
resource vault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
name: 'testVault'
resource backupPolicy 'backupPolicies@2023-01-01' = {
name: 'backupPolicy'
properties: {
backupManagementType: 'AzureSql'
retentionPolicy: {
retentionPolicyType: 'SimpleRetentionPolicy'
retentionDuration: {
count: 8
durationType: 'Days'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"name": "testVault",
"resources": [
{
"type": "backupPolicies",
"apiVersion": "2023-01-01",
"name": "testVault/backupPolicy",
"properties": {
"backupManagementType": "AzureSql",
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
}
}
}
]
}
]
}
