Azure-BlobService-Blob-Service-Immutable

Severity : Critical

Description: This control ensures that critical Azure Blob Storage data is protected from accidental deletion or modification. Immutable storage helps organizations--particularly broker-dealer organizations--to store data securely. Immutable storage can also be leveraged in any scenario to protect critical data against modification or deletion. Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. This prevents the accidental or malicious data modification or deletion.

Remediation Steps:

Perform following to Remove all non-required guest users :

Login to Azure Portal using https://portal.azure.com.
Navigate to Storage accounts.
Click the storage account to be remediated.
On the left-hand sidebar, under Data storage select Containers blade.
Navigate to the desired container.
Select the More button on the right, then select Access policy.
In the Immutable blob storage section, select Add policy.
In the Policy type field, select Time-based retention, and specify the retention period in days.
To create a policy with container scope, do not check the box for Enable version-level immutability.
To Lock the policy. Right-click on the policy, Select Lock Policy and confirm the lock. The policy is now locked and cannot be deleted, only extensions of the retention interval will be allowed. Blob deletes and overrides are not permitted
To enable legal holds, select Add Policy. Select Legal hold from the drop-down menu.

Important:

This control is not applicable for Azure Government.
It is good practice to use a dynamic group to manage guest users

Reference: