AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

[Preview]: Immutability must be enabled for Recovery Services vaults

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Immutability must be enabled for Recovery Services vaults
Id d6f6f560-14b7-49a4-9fc8-d2c3a9807868
Version 1.0.1-preview
Details on versioning
Versioning Versions supported for Versioning: 2
1.0.1-preview
1.0.0-preview
Built-in Versioning [Preview]
Category Backup
Microsoft Learn
Description This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.RecoveryServices/vaults/securitySettings.immutabilitySettings.state Microsoft.RecoveryServices vaults properties.securitySettings.immutabilitySettings.state True True
Rule resource types IF (1)
Compliance
The following 3 compliance controls are associated with this Policy definition '[Preview]: Immutability must be enabled for Recovery Services vaults' (d6f6f560-14b7-49a4-9fc8-d2c3a9807868)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 BR-2 Azure_Security_Benchmark_v3.0_BR-2 Microsoft cloud security benchmark BR-2 Backup and Recovery BR-2 Protect backup and recovery data Shared **Security Principle:** Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. **Azure Guidance:** Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to ensure backup data is restorable when there is a disaster in primary region. Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Benchmark (and service baselines) to implement the above controls. **Implementation and additional context:** Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore n/a link 7
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Microsoft cloud security benchmark v2 e3ec7e09-768c-4b64-882c-fcada3772047 Security Center Preview BuiltIn unknown
Enforce enhanced recovery and backup policies Enforce-Backup Backup GA ALZ
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-02-27 19:10:20 change Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
2023-07-24 17:56:14 add d6f6f560-14b7-49a4-9fc8-d2c3a9807868
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC