Azure Blob Storage Immutability Policies
Azure Blob Storage immutability policies allow you to store business-critical data in a write-once, read-many (WORM) state. This feature provides protection against accidental or malicious deletion and modification of data by ensuring that data cannot be modified or deleted for a specified retention period.
Key Concepts
- Immutable Storage: Data written to a blob in an immutable container cannot be modified or deleted until the immutability period expires.
- Retention Policy: Defines the duration (in days) for which the data remains immutable.
- Legal Hold: A distinct setting that can be applied to a blob version or a container. Legal holds override retention policies, ensuring data is preserved for legal or regulatory compliance until explicitly removed.
- Time-based Retention: The immutability period is based on the creation time of the blob.
- Single Set of Immutability Settings: You can apply either a retention policy or a legal hold, but not both simultaneously on the same container.
Types of Immutability
Time-based Retention Policies
With time-based retention, you can configure a container to be immutable for a specific duration. Once set, the retention period cannot be shortened. It can only be extended.
- Blobs created within the container during the retention period cannot be deleted or modified.
- The immutability period starts when the blob is written.
Legal Holds
Legal holds are primarily used for compliance and litigation purposes. They allow you to preserve data indefinitely until the hold is explicitly removed, regardless of any retention policies.
- A legal hold can be applied to a specific blob version or an entire container.
- It overrides any time-based retention policies.
Creating and Managing Immutability Policies
Using Azure Portal
You can configure immutability policies through the Azure portal when creating or managing a blob container. Navigate to your storage account, then to Containers, select your container, and under "Immutability policies," you can set up a time-based retention policy or add a legal hold.
Using Azure CLI
The Azure CLI provides commands to manage immutability policies. Here's an example of how to set a time-based retention policy on a container:
Setting a time-based retention policy
Azure CLI
az storage container immutability-policy set \
--account-name mystorageaccount \
--container-name mycontainer \
--retention-days 30 \
--policy-mode Locked
To apply a legal hold:
Applying a legal hold
Azure CLI
az storage container legal-hold create \
--account-name mystorageaccount \
--container-name mycontainer \
--tags "litigation-id=abc123"
Using Azure SDKs
Azure SDKs for various programming languages (e.g., Python, .NET, Java) also support the management of immutability policies.
Important Note: Once a time-based retention policy is set to Locked mode, it cannot be deleted or modified. The retention period can only be extended. For legal holds, they can be added and removed as needed.
Use Cases
- Regulatory Compliance: Meeting industry regulations (e.g., SEC 17a-4, FINRA) that require data to be retained for specific periods without alteration.
- Data Archiving: Ensuring that historical data remains accessible and unaltered for future reference.
- Protection Against Ransomware: Making critical data immutable can prevent ransomware attacks from encrypting or deleting it.
- Auditing and Forensics: Preserving data integrity for audit trails and forensic investigations.
Considerations
- Immutability applies to the container level.
- Ensure you set the retention period appropriately, as it cannot be shortened once locked.
- Understand the difference and interplay between retention policies and legal holds.
- Immutable blobs cannot be overwritten or deleted. New versions can be created, but the previous immutable versions remain protected.