Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Sufficient Daily Backup Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-019

Ensure that your Microsoft Azure virtual machines (VMs) have a sufficient daily backup retention period configured within the associated backup policy for security and compliance purposes. Prior to running this rule by the Cloud Conformity engine, the backup retention period must be defined in the rule settings, on the Cloud Conformity account dashboard. The maximum retention period supported is 30 days.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Having an optimal daily backup retention period for your Azure virtual machines will enforce your backup strategy to follow the best practices as specified in the compliance regulations promoted by your organization. Retaining VM backups for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.


Audit

To determine if your Azure virtual machines have a sufficient daily backup retention period configured, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity account, access Check for Sufficient Daily Backup Retention Period conformity rule settings and note the daily backup retention period configured for the rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines (VMs) deployed in the selected subscription.

06 Click on the name of the virtual machine that you want to examine.

07 On the navigation panel, under Operations, select Backup to view the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name (link) of the backup policy defined for the selected resource.

09 On the Backup policy page, check the backup retention period defined for the Retention of daily backup point configuration attribute. If the daily backup retention period set for the verified virtual machine is not greater than or equal to the retention period identified at step no. 1, the selected Microsoft Azure virtual machine (VM) does not have a sufficient backup retention period currently configured.

10 Repeat steps no. 6 – 9 for each Azure virtual machine available in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Sufficient Daily Backup Retention Period conformity rule settings and note the daily backup retention period configured for the rule.

02 Run backup vault list command (Windows/macOS/Linux) using custom query filters to list the name of each Azure Recovery Services vault available within the current subscription. A Recovery Services vault is a storage entity in Azure that holds backup data for various resources such as Azure virtual machines (Linux or Windows) and Azure SQL databases:

az backup vault list
    --resource-group cloud-shell-storage-westeurope
    --query '[*].name'

03 The command output should return the requested vault name(s):

[
  "cc-backup-vault-001"
]

04 Run backup item list command (Windows/macOS/Linux) using the name of the Azure Recovery Services vault that you want to examine as identifier parameter and custom query filters to describe the name of the backup policy set for each virtual machine available in the current subscription. A backup policy specifies frequency and time at which specified resources will be backed up and how long the backup copies are retained:

az backup item list
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-backup-vault-001
    --output table
    --query '[*].properties.{"VirtualMachineName":friendlyName,"BackupPolicyName":policyName}'

05 The command output should return a table that contains the names of the virtual machines that use the Azure Backup service and the names of their associated backup policies:

VirtualMachineName    BackupPolicyName
--------------------  ------------------
cc-prod-main-server   DailyPolicy
cc-staging-server     DailyStagingPolicy
cc-web-dev-server     DailyDevEnvPolicy

06 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to examine as identifier parameter and custom query filters to get the daily backup retention period, in number of days, that the selected policy has configured for its associated Azure virtual machine:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-backup-vault-001
    --name DailyPolicy
    --query 'properties.retentionPolicy.dailySchedule.retentionDuration.count'

07 The command output should return the number of days configured as backup retention period within the selected backup policy:

7

If the value returned by the backup policy show command output is not greater than or equal to the retention period identified at step no. 1, the Microsoft Azure virtual machine (VM) associated with the selected backup policy does not have a sufficient daily backup retention period configured.

08 Repeat step no. 6 and 7 for each Microsoft Azure virtual machine with a backup policy configured, available in the current subscription.

09 Repeat steps no. 2 – 8 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure your backup policies in order to set the correct daily backup retention period for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity account, access Check for Sufficient Daily Backup Retention Period conformity rule settings and copy the daily backup retention period configured for the rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines (VMs) deployed in the selected subscription.

06 Click on the name of the virtual machine that you want to reconfigure.

07 On the navigation panel, under Operations, select Backup to view the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name (link) of the Azure Recovery Services vault associated with the selected VM to access the backup vault.

09 In the navigation panel, under Manage, select Backup policies to access the backup policies created for the selected vault.

10 On the Backup policies page, click on the backup policy associated with the selected virtual machine (see Audit section part I to identify the right policy).

11 On the policy configuration page, in the Retention range section, replace the value available in the For box with the value copied at step no. 1, to change the daily backup retention period configured for the virtual machine associated with the selected backup policy. Click Save to apply the changes.

12 Repeat steps no. 6 – 11 for each Azure virtual machine (VM) that you need to reconfigure, available in the selected subscription.

13 Repeat steps no. 4 – 12 for each subscription created within your Microsoft Azure cloud account.

Using Azure Console

01 Sign in to your Cloud Conformity account, access Check for Sufficient Daily Backup Retention Period conformity rule settings and copy the daily backup retention period configured for the rule.

02 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to update as identifier parameter (see Audit section part II to identify the right policy), to list the configuration properties available for the selected policy:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-backup-vault-001
    --name DailyPolicy

03 The command output should return the backup policy properties. This information is required later when the selected policy is redefined:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc-backup-vault-001/backupPolicies/DailyPolicy",
  "location": null,
  "name": "DailyPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 3,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 7,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-29T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-29T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

04 Redefine the backup policy returned at the previous step by replacing the daily backup retention period (number of days), available as value for the "properties.retentionPolicy.dailySchedule.retentionDuration.count" configuration attribute (highlighted) with the value copied at step no. 1. Once the policy is updated, save its content to a JSON file named new-daily-backup-policy.json:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc-backup-vault-001/backupPolicies/DailyPolicy",
  "location": null,
  "name": "DailyPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 3,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-29T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-29T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

05 Run backup policy set command (Windows/macOS/Linux) using the name of backup policy document defined at the previous step as value for the --policy parameter (i.e. new-daily-backup-policy.json) to update the selected backup policy in order to set the optimal daily backup retention period for the associated Microsoft Azure virtual machine:

az backup policy set
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc-backup-vault-001/backupPolicies/DailyPolicy"                                                   --policy new-daily-backup-policy.json

06 The command output should return the new backup policy configuration metadata:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc-backup-vault-001/backupPolicies/DailyPolicy",
  "location": null,
  "name": "DailyPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 3,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-29T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-29T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

07 Repeat steps no. 2 – 6 for each Microsoft Azure backup policy that you need to update, available within the current subscription.

08 If required, repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020