AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/BackupVault.json

                                {

  "FeatureName": "BackupVault",

  "Reference": "aka.ms/azsktcp/BackupVault",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_BackupVault_DP_Enable_Soft_Delete",

      "Description": "Always-on soft delete must be enabled on Backup Vault",

      "Id": "BackupVault100",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "Reader",

      "MethodName": "CheckVaultSoftDelete",

      "DisplayName": "Always-on soft delete must be enabled on Backup Vault",

      "Category": "Data persistence should be ensured",

      "ControlRequirements": "Data should be protected against inadvertent or malicious deletion",

      "Rationale": "Enabling soft delete feature on Backup Vault acts as a safety measure to recover inadvertently or maliciously deleted backup data.",

      "Recommendation": "To enable always on soft delete using Azure Portal, please refer: https://learn.microsoft.com/en-us/azure/backup/backup-azure-enhanced-soft-delete-configure-manage?tabs=backup-vault#enable-soft-delete-with-always-on-state or use the powershell command: Update-AzDataProtectionBackupVault -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -SoftDeleteState SoftDeleteState. Please refer: https://learn.microsoft.com/en-us/powershell/module/az.dataprotection/update-azdataprotectionbackupvault?view=azps-10.0.0#syntax.",

      "Enabled": true,

      "ControlSettings": {

        "SoftDeleteState": "ALWAYSON"

      },

      "Tags": [

        "DP",

        "Baseline",

        "BackupVault"

      ],

      "CustomTags": [

        "Weekly"

      ]

    },

    {

      "ControlID": "Azure_BackupVault_DP_Enable_Immutability",

      "Description": "Immutability must be enabled and locked on Backup Vault",

      "Id": "BackupVault110",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "Reader",

      "MethodName": "CheckVaultImmutability",

      "DisplayName": "Immutability must be enabled and locked on Backup Vault",

      "Category": "Data persistence should be ensured",

      "ControlRequirements": "Data should be protected against inadvertent or malicious deletion",

      "Rationale": "Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.",

      "Recommendation": "To enable and lock immutability using Azure Portal, please refer: https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault#enable-immutable-vault or use the powershell command: Update-AzDataProtectionBackupVault -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -ImmutabilityState Locked. Please refer: https://learn.microsoft.com/en-us/powershell/module/az.dataprotection/update-azdataprotectionbackupvault?view=azps-10.0.0#syntax.",

      "Enabled": true,

      "ControlSettings": {

        "ImmutabilityState": "Locked"

      },

      "Tags": [

        "DP",

        "Baseline",

        "BackupVault"

      ],

      "CustomTags": [

        "Daily",

        "TenantBaseline",

        "TBv14",

        "SN:BackupVault_EnableImmutability"

      ]

    },

    {

      "ControlID": "Azure_BackupVault_AuthZ_Enable_MultiUserAuthorization",

      "Description": "Multi User Authorization must be enabled on backup vault",

      "Id": "BackupVault120",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "Reader",

      "MethodName": "CheckVaultMultiUserAuthorization",

      "DisplayName": "Multi User Authorization must be enabled on backup vault",

      "Category": "Least privilege access to subscription and resources",

      "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms",

      "Rationale": "Multi-user authorization using resource guard gives an additional layer of security for backup vaults.",

      "Recommendation": "To enable Multi-user Autorization using Azure Portal, please refer: https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault.",

      "Enabled": true,

      "ControlSettings": {

        "isVaultProtectedByResourceGuard": true

      },

      "Tags": [

        "Automated",

        "AuthZ",

        "Baseline",

        "BackupVault"

      ],

      "CustomTags": [

        "Daily"

      ]

    },

    {

      "ControlID": "Azure_BackupVault_Audit_Enable_Monitoring",

      "Description": "Montioring must be enabled on backup vault",

      "Id": "BackupVault130",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "Reader",

      "MethodName": "CheckVaultMonitoring",

      "DisplayName": "Monitoring must be enabled on backup vault",

      "Category": "Monitoring must be enabled",

      "ControlRequirements": "Data must be encrypted in transit and at rest",

      "Rationale": "Monitoring for Backup Vaults should be enabled in order to be notified whenever there is a failure.",

      "Recommendation": "To enable backup vault monitoring, please refer: https://learn.microsoft.com/en-us/azure/backup/backup-azure-monitoring-built-in-monitor?tabs=recovery-services-vaults.",

      "Enabled": true,

      "ControlSettings": {

        "monitoringSettings": {

          "azureMonitorAlertSettings": {

            "alertsForAllJobFailures": "Enabled"

          }

        }

      },

      "Tags": [

        "Automated",

        "Audit",

        "Baseline",

        "BackupVault"

      ],

      "CustomTags": [

        "Weekly"

      ]

    }

  ]

}