Problem
OpenShield has no Azure Backup security coverage. Enterprise ransomware resilience depends on backups remaining recoverable when privileged credentials or production subscriptions are compromised.
Proposed first-phase rules
| Rule ID |
Check |
Severity |
AZ-BAK-001 |
Vault soft delete is disabled or below the approved retention baseline |
CRITICAL |
AZ-BAK-002 |
Vault immutability is disabled |
HIGH |
AZ-BAK-003 |
Production vault immutability is not locked |
HIGH |
AZ-BAK-004 |
Multiuser authorization/Resource Guard is not configured |
HIGH |
AZ-BAK-005 |
Vault uses locally redundant storage without an approved exception |
MEDIUM |
AZ-BAK-006 |
Backup security monitoring/diagnostic reporting is not enabled |
MEDIUM |
The rules should cover Recovery Services vaults first and include Microsoft.DataProtection/backupVaults only where equivalent properties can be evaluated reliably. Maintainers should approve the AZ-BAK prefix, production-vault definition, and whether enabled-but-unlocked immutability deserves a separate rule.
Design requirements
- Use official Recovery Services and Data Protection management APIs with pinned dependencies.
- Preserve API failures as indeterminate states.
- Do not enumerate or expose protected-item contents, customer data, encryption keys, or recovery points in findings.
- Distinguish soft-delete enabled, enhanced/always-on, retention duration, immutability enabled, and immutability locked states.
- Detect Resource Guard/MUA through immutable resource identifiers, not display names.
- Treat LRS as policy-dependent and support documented exceptions rather than assuming every vault requires GRS.
- Keep public-network/private-endpoint coverage in the separate Private Endpoint proposal to avoid duplicate findings.
- Remediation must never lock immutability automatically; locking is irreversible and requires a separately reviewed manual procedure.
Acceptance criteria
References
Problem
OpenShield has no Azure Backup security coverage. Enterprise ransomware resilience depends on backups remaining recoverable when privileged credentials or production subscriptions are compromised.
Proposed first-phase rules
AZ-BAK-001AZ-BAK-002AZ-BAK-003AZ-BAK-004AZ-BAK-005AZ-BAK-006The rules should cover Recovery Services vaults first and include
Microsoft.DataProtection/backupVaultsonly where equivalent properties can be evaluated reliably. Maintainers should approve theAZ-BAKprefix, production-vault definition, and whether enabled-but-unlocked immutability deserves a separate rule.Design requirements
Acceptance criteria
References