Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Sufficient Backup Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-014

Ensure that your Microsoft Azure App Services applications have a sufficient daily backup retention period configured for scheduled backups, in order to follow security and regulatory requirements. Prior to running this rule by the Cloud Conformity engine, the backup retention period must be configured in the rule settings, on the Cloud Conformity account dashboard. A retention value of 0 will keep backup files indefinitely.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Having an optimal backup retention period set for your Azure App Services applications will enforce your backup strategy to follow the best practices as specified in the compliance regulations promoted by your organization. Retaining application backups for a longer period of time will allow you to handle more efficiently your app data restoration process.


Audit

To determine if your Microsoft Azure App Services applications have a sufficient backup retention period configured, perform the following operations:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Sufficient Backup Retention Period conformity rule settings and identify the application backup retention period configured for the rule.

02 Sign in to Azure Management Console.

03 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

04 Click on the name of the App Services application that you want to examine.

05 In the navigation panel, under Settings, choose Backups, then click on the Configure button from the dashboard top menu to access the Backup and Restore configuration settings available for the selected application.

06 On the Backup Configuration panel, under Backup Schedule, check the backup retention period (i.e. number of days) available in the Retention (Days) box. If the backup retention period set for the verified application is less than the retention period identified at step no. 1, the selected Microsoft Azure App Services application does not have a sufficient backup retention period configured for scheduled backups.

07 Repeat steps no. 4 – 6 for each Azure App Services application available in the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Sufficient Backup Retention Period conformity rule settings and identify the application backup retention period configured for the rule.

02 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the names of all App Services applications (and the name of their associated resource groups) deployed in the current Azure subscription:

az webapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

03 The command output should return a table with requested application identifiers:

Name               ResourceGroup
-----------------  ------------------------------
cc-nodejs-web-app  cloud-shell-storage-westeurope
cc-aspnet-web-app  cloud-shell-storage-westeurope

04 Run webapp config backup show command (Windows/macOS/Linux) using the name of the application that you want to examine as identifier parameter to describe the backup retention period set for the selected App Services application:

az webapp config backup show
	--webapp-name cc-nodejs-web-app
	--resource-group cloud-shell-storage-westeurope
	--query 'backupSchedule.retentionPeriodInDays'

05 The command output should return the number of days configured as backup retention period:

7

If the value returned by the webapp config backup show command output is lower than the retention period value identified at step no. 1, the selected Microsoft Azure App Services application does not have a sufficient backup retention period configured for automated backups.

06 Repeat step no. 4 and 5 for each Azure App Services application deployed within the current subscription.

07 Repeat steps no. 2 – 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure the backup retention period for your Microsoft Azure App Services applications, perform the following operations:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Sufficient Backup Retention Period conformity rule settings and copy the backup retention period defined for Azure App Services applications.

02 Sign in to Azure Management Console.

03 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

04 Click on the name of the application that you want to reconfigure (see Audit section part I to identify the right application).

05 In the navigation panel, under Settings, choose Backups, then click on the Configure button from the dashboard top menu to access the Backup and Restore configuration settings available for the selected application.

06 On the Backup Configuration panel, in the Backup Schedule section, replace the value available in the Retention (Days) box with the value copied at step no. 1, to update the backup retention period configured for the selected Azure App Services application. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 for each Azure App Services application that you need to reconfigure, available in the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Sufficient Backup Retention Period conformity rule settings and copy the backup retention period defined for Azure App Services applications.

02 Run webapp config backup update command (Windows/macOS/Linux) to configure the optimal backup retention period for the selected Microsoft Azure App Services application by setting the --retention parameter value to the configuration value copied at step no. 1 (the command does not produce an output):

az webapp config backup update
	--webapp-name cc-nodejs-web-app
	--resource-group cloud-shell-storage-westeurope
	--retention 30

03 Repeat step no. 2 for each Azure App Services application that you have to reconfigure, available within the current subscription.

04 Repeat step no. 2 and 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020