Skip to content

feat(scanner): propose enterprise Azure Backup ransomware-resilience pack #196

Description

@TFT444

Problem

OpenShield has no Azure Backup security coverage. Enterprise ransomware resilience depends on backups remaining recoverable when privileged credentials or production subscriptions are compromised.

Proposed first-phase rules

Rule ID Check Severity
AZ-BAK-001 Vault soft delete is disabled or below the approved retention baseline CRITICAL
AZ-BAK-002 Vault immutability is disabled HIGH
AZ-BAK-003 Production vault immutability is not locked HIGH
AZ-BAK-004 Multiuser authorization/Resource Guard is not configured HIGH
AZ-BAK-005 Vault uses locally redundant storage without an approved exception MEDIUM
AZ-BAK-006 Backup security monitoring/diagnostic reporting is not enabled MEDIUM

The rules should cover Recovery Services vaults first and include Microsoft.DataProtection/backupVaults only where equivalent properties can be evaluated reliably. Maintainers should approve the AZ-BAK prefix, production-vault definition, and whether enabled-but-unlocked immutability deserves a separate rule.

Design requirements

  • Use official Recovery Services and Data Protection management APIs with pinned dependencies.
  • Preserve API failures as indeterminate states.
  • Do not enumerate or expose protected-item contents, customer data, encryption keys, or recovery points in findings.
  • Distinguish soft-delete enabled, enhanced/always-on, retention duration, immutability enabled, and immutability locked states.
  • Detect Resource Guard/MUA through immutable resource identifiers, not display names.
  • Treat LRS as policy-dependent and support documented exceptions rather than assuming every vault requires GRS.
  • Keep public-network/private-endpoint coverage in the separate Private Endpoint proposal to avoid duplicate findings.
  • Remediation must never lock immutability automatically; locking is irreversible and requires a separately reviewed manual procedure.

Acceptance criteria

  • Maintainers approve prefix, vault types, severities, and production tagging/selection approach.
  • Irreversible controls are detection/documentation only, never automatic remediation.
  • Soft-delete, immutability, MUA, redundancy, and monitoring states are tested independently.
  • Recovery Services and Backup vault API differences are documented.
  • Unknown permissions/API failures cannot appear compliant.
  • Minimum Azure permissions and operational prerequisites are documented.
  • Full repository CI and security checks pass.
  • No implementation begins before approval.

References

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
🔨 In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions