Configure immutability policies for Azure Blob storage.
Azure Blob Storage offers Immutable Storage, which allows you to store critical data in a Write Once, Read Many (WORM) states. This means the data cannot be changed or deleted for a specified period. There are two types of immutability policies:
- Time-based retention policies: These policies allow you to store data for a specific time period. During this period, data can be created and read but not modified or deleted. After the retention period expires, data can be deleted but not overwritten.
- Legal hold policies: Legal holds keep data immutable until explicitly cleared. Similar to time-based policies, data under legal hold can be created and read but not altered or deleted.
These policies help safeguard your data from accidental or unauthorized changes in Azure Blob Storage.
The diagram above shows how time-based retention policies and legal holds prevent write and delete operations.
Immutable storage for Azure blobs provides a secure solution for various industries, including healthcare, financial institutions, and broker-dealers. It ensures data cannot be altered or deleted, making it valuable for:
- Regulatory Compliance: Immutable storage, such as Azure Blob Storage, aids organizations in complying with regulations like SEC 17a-4(f), CFTC 1.31(d), and FINRA by preserving data in an unmodifiable state.
- Secure Document Retention: It prevents data modification or deletion, even by users with administrative privileges, ensuring the security of critical documents.
- Legal Hold: Immutable storage keeps sensitive information intact for legal or business purposes until the hold is removed. It can also be applied in event-based or corporate policy scenarios to protect data as needed.
Immutability policy scope
Immutability policies in Azure Blob Storage can have different scopes: version-level and container-level. The behavior of these policies depends on their scope. You can configure both time-based retention policies and legal holds for resources (containers or blob versions).
- Version-level Scope: To apply an immutability policy at the version level of a blob, you must enable version-level immutability support on the storage account or an individual container. Enabling it at the account level allows you to set a default policy for all objects created within that account. Enabling it at the container level lets you set a default policy for all objects created within that container.
- Container-level Scope: When version-level immutability support is not enabled for a storage account or container, any immutability policies are scoped to the container. In this case, a container can have one immutability policy and one legal hold, which applies to all objects within the container.
Configure immutability policies for blob versions.
To set up version-level time-based retention policies, you need to enable blob versioning for your storage account. Below is the step to enable blob versioning with the Azure portal:
- Go to the Storage accounts page on the Azure portal.
- Navigate to Data management and select Data protection.
- In the Tracking section, opt to enable versioning for blobs, and then decide whether to retain all versions or delete them after a specific timeframe.
Enable version-level immutability support on a storage account.
To implement a time-based retention policy for a blob version, you need to first enable version-level immutability support. This support can be enabled on a new storage account or a new/existing container.
- Go to the Storage accounts page on the Azure portal.
- Click the Create button to initiate the creation of a new account.
- Complete the required information on the Basics tab.
- On the Data protection tab, within Access control, check the box that says “Enable version-level immutability support.” Enabling this option will also automatically check the box for “Enable versioning for blobs.”
- Click on “Review + Create” to confirm your account settings and create the storage account.
Configure a default time-based retention policy.
Once version-level immutability support is enabled for a storage account or container, you can establish a default time-based retention policy. This default policy applies to all new blob versions. Note that it doesn’t affect existing versions.
If you’ve migrated a container to support version-level immutability, the prior container-level policy becomes the default for the container.
To set up a default time-based retention policy for your Azure storage account in the portal, follow these steps:
- Go to the Storage accounts page on the Azure portal.
- In the “Data management” section, select “Data protection.”
- On the “Data protection” page, find the “Access control” section. If your storage account was created with version-level immutability support, you’ll see the “Manage policy” button in this section.
4. Click on it to open the “Manage version-level immutability policy” dialog.
5. Here, you can add a default time-based retention policy for the storage account.
To configure a default version-level immutability policy for a container in the Azure portal, do the following:
- Navigate to the “Containers” page in the Azure portal and select the specific container you want to apply the policy to.
- Click the “More” button next to the container’s name and choose “Access policy.”
- In the “Access policy” dialog, go to the “Immutable blob storage” section and select “Add policy.”
- Choose “Time-based retention policy” and specify the retention period.
- Decide whether to allow protected append writes. This option enables the addition of new data blocks to append blobs or block blobs, preventing potential errors in specific applications and tools that depend on this feature.
Reference: To access comprehensive information or deeper into the subject matter, you can visit Microsoft Learn by following the reference link provided below.
