A short backup retention period can limit an organization’s ability to recover data after a security incident.
Backups allow an organization to recover data after corruption, deletion, or a security incident. When the backup retention period is too short, no usable backup may be available at the time recovery is needed.
If data is corrupted or deleted and the issue goes undetected until after the retention period expires, the organization may be unable to restore the affected data. This can result in permanent data loss, extended service outages, and failure to meet regulatory or compliance obligations.
The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'webApp'
}
resource backup 'config@2022-03-01' = {
name: 'backup'
parent: webApp
properties: {
backupSchedule: {
frequencyInterval: 1
frequencyUnit: 'Day'
keepAtLeastOneBackup: true
retentionPeriodInDays: 5 // Noncompliant
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "webApp"
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "webApp/backup",
"properties": {
"backupSchedule": {
"frequencyInterval": 1,
"frequencyUnit": "Day",
"keepAtLeastOneBackup": true,
"retentionPeriodInDays": 5
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', 'webApp')]"
]
}
]
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'webApp'
}
resource backup 'config@2022-03-01' = {
name: 'backup'
parent: webApp
properties: {
backupSchedule: {
frequencyInterval: 1
frequencyUnit: 'Day'
keepAtLeastOneBackup: true
retentionPeriodInDays: 30
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "webApp"
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "webApp/backup",
"properties": {
"backupSchedule": {
"frequencyInterval": 1,
"frequencyUnit": "Day",
"keepAtLeastOneBackup": true,
"retentionPeriodInDays": 30
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', 'webApp')]"
]
}
]
}
The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.
resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
properties: {
backupPolicy: {
type: 'Periodic'
periodicModeProperties: {
backupIntervalInMinutes: 1440
backupRetentionIntervalInHours: 120 // Noncompliant
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-04-15",
"properties": {
"backupPolicy": {
"type": "Periodic",
"periodicModeProperties": {
"backupIntervalInMinutes": 1440,
"backupRetentionIntervalInHours": 120
}
}
}
}
]
}
resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
properties: {
backupPolicy: {
type: 'Periodic'
periodicModeProperties: {
backupIntervalInMinutes: 1440
backupRetentionIntervalInHours: 720
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-04-15",
"properties": {
"backupPolicy": {
"type": "Periodic",
"periodicModeProperties": {
"backupIntervalInMinutes": 1440,
"backupRetentionIntervalInHours": 720
}
}
}
}
]
}
The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.
resource vault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
name: 'testVault'
resource backupPolicy 'backupPolicies@2023-01-01' = {
name: 'backupPolicy'
properties: {
backupManagementType: 'AzureSql'
retentionPolicy: {
retentionPolicyType: 'SimpleRetentionPolicy'
retentionDuration: {
count: 5 // Noncompliant
durationType: 'Days'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"name": "testVault",
"resources": [
{
"type": "backupPolicies",
"apiVersion": "2023-01-01",
"name": "backupPolicy",
"properties": {
"backupManagementType": "AzureSql",
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 5,
"durationType": "Days"
}
}
}
}
]
}
]
}
resource vault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
name: 'testVault'
resource backupPolicy 'backupPolicies@2023-01-01' = {
name: 'backupPolicy'
properties: {
backupManagementType: 'AzureSql'
retentionPolicy: {
retentionPolicyType: 'SimpleRetentionPolicy'
retentionDuration: {
count: 30
durationType: 'Days'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"name": "testVault",
"resources": [
{
"type": "backupPolicies",
"apiVersion": "2023-01-01",
"name": "backupPolicy",
"properties": {
"backupManagementType": "AzureSql",
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
}
}
}
]
}
]
}