Implement Blob Immutability in Azure Storage

This tutorial guides you through setting up and managing immutable blobs in Azure Storage, ensuring data protection against accidental or malicious deletion.

Introduction to Blob Immutability

Azure Blob Storage offers immutability policies that allow you to store business-critical data in a write-once, read-many (WORM) state. This feature is crucial for regulatory compliance and protecting data integrity by preventing data deletion or modification for a specified period.

There are two primary types of immutability policies:

  • Time-based retention: Blobs cannot be deleted or modified until the retention period expires.
  • Legal holds: Blobs are protected from deletion and modification until the legal hold is explicitly removed.

Prerequisites

  • An active Azure subscription.
  • An Azure Storage account. If you don't have one, you can create it via the Azure portal or Azure CLI.
  • Appropriate permissions to manage storage account settings.

Step 1: Enable Immutability Policies on a Storage Account

Immutability policies are configured at the container level within a storage account. You can enable them using the Azure portal, Azure CLI, or PowerShell.

Using Azure Portal:

  1. Navigate to your storage account in the Azure portal.
  2. In the left-hand menu, under Data protection, select Immutability policies.
  3. Click on the container you want to configure. If the container doesn't exist, you'll need to create it first.
  4. Select Add policy.
  5. Choose the policy type: Time-based retention or Legal hold.
  6. For Time-based retention, specify the retention period in days.
  7. For Legal hold, you can assign a tag.
  8. Click OK to save the policy.
Azure Portal Immutability Policy Configuration

Using Azure CLI:

To set a time-based retention policy:


az storage container immutability policy set \
    --account-name  \
    --name  \
    --retention-days 30 \
    --policy-type Locked

To add a legal hold:


az storage blob immutability policy set \
    --account-name  \
    --container-name  \
    --blob-name  \
    --policy-type LegalHold \
    --tags "LegalTag1=Value1"

Step 2: Uploading Blobs to an Immutable Container

Once a time-based retention policy is set on a container, any blobs uploaded to that container will be immutable for the specified duration. You can use standard blob upload methods.

Example using Azure CLI to upload a blob:


az storage blob upload \
    --account-name  \
    --container-name  \
    --name my-immutable-file.txt \
    --file path/to/your/local/file.txt

Blobs uploaded into a container with a time-based policy will automatically have a system-assigned expiration date based on the policy. You can view this using:


az storage blob show \
    --account-name  \
    --container-name  \
    --name my-immutable-file.txt \
    --query "{Name:name, Expiry:properties.metadata.creationTime, ImmutabilityPolicy:properties.immutabilityPolicy}"

Step 3: Managing and Deleting Immutable Blobs

Time-based retention: Blobs protected by a time-based retention policy cannot be deleted or modified until the retention period has passed. Attempts to do so will result in an error.

Legal holds: Blobs with legal holds are protected indefinitely until the hold is explicitly removed. This is useful for eDiscovery or litigation holds.

To remove a legal hold:


az storage blob immutability policy delete \
    --account-name  \
    --container-name  \
    --blob-name  \
    --policy-type LegalHold \
    --tags "LegalTag1=Value1"

After the retention period expires for time-based retention policies, blobs can be deleted like any other blob. For locked retention policies, once set, the immutability policy cannot be deleted or shortened. It can only be extended.

Use Cases and Best Practices

  • Regulatory Compliance: Meet requirements like SEC 17a-4, FINRA, or HIPAA by ensuring data is retained for specific periods.
  • Data Archiving: Securely archive historical data without the risk of accidental deletion.
  • Protecting Against Ransomware: Prevent malicious actors from encrypting or deleting your critical backups.
  • Plan Your Retention Periods Carefully: Understand your compliance obligations and data lifecycle management needs before setting retention periods.
  • Use a Combination: Consider using both time-based retention and legal holds for different data sets based on their sensitivity and compliance requirements.