Terraform Blob Soft Delete Disabled
Description
Detects Azure Storage Accounts that either have blob soft delete disabled or configured with an insufficient retention period (less than 7 days). Without proper soft delete retention policies, accidentally deleted blobs cannot be recovered, which could lead to data loss.
Detection Strategy
• Identifies Azure Storage Account resources in Terraform configurations
• Reports a vulnerability if the 'blob_properties' block is missing entirely, indicating soft delete is not configured
• When blob_properties exists, checks if delete_retention_policy.days is set to less than 7 days
• Considers both complete absence of retention policy and retention periods under 7 days as security issues
Vulnerable code example
resource "azurerm_storage_account" "vulnerable" {
name = "mystorageaccount"
resource_group_name = "myresourcegroup"
location = "eastus"
account_tier = "Standard"
account_replication_type = "GRS"
# Vulnerable: Missing blob_properties.delete_retention_policy configuration
}✅ Secure code example
resource "azurerm_storage_account" "secure" {
name = "mystorageaccount"
resource_group_name = "myresourcegroup"
location = "eastus"
account_tier = "Standard"
account_replication_type = "GRS"
# Added blob_properties with retention policy to protect against accidental/malicious deletions...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.