1

I want to regularly back up a number of Windows servers (all Azure VM's) to an Azure Backup vault. My worry is that if my Azure account is compromised, an attacker could potentially delete the VM's, the storage accounts and the backup vault.

  1. Does Azure Backup provide any protection against this scenario?
  2. If not, what solution do you recommend? An obvious extra safety measure would be to have a separate Azure account for the backup.
Martin Törnwall
  • 137
  • 1
  • 5
  • 1
    https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication/ and yes, a separate account with severely locked down permissions sounds appropriate. – ceejayoz Jan 21 '16 at 17:31
  • @ceejayoz Thanks for your comment. Does this mean that Azure doesn't provide any built-in protection measure in this case? (Not counting 2FA, of course!) – Martin Törnwall Jan 21 '16 at 17:47
  • What would you count as protection? They have passwords, 2FA, role-based access controls and subusers, ability to rotate your access keys, etc. I'm not sure what sort of built-in protection you're proposing that'd still permit legitimate usage of things like deletion. – ceejayoz Jan 21 '16 at 17:52
  • @ceejayoz One of the things I had in mind was a mechanism to ensure that even if the backup vault is deleted, its data remains available for some amount of time afterwards. – Martin Törnwall Jan 22 '16 at 09:12
  • 1
    @MartinTörnwall I think they are called backups ;) – Michael B Jan 22 '16 at 12:47

1 Answers1

2

You can use Resource Locks to protect resources from accidental / malicious deletion.

For instance, to apply a lock to a vault, you would use the following 

New-AzureRmResourceLock -LockName "VaultLock" -LockLevel CanNotDelete `
                        -ResourceGroupName MyvaultRG `
                        -ResourceName MyVault `
                        -ResourceType Microsoft.KeyVault/vaults

if you then attempt to delete you will get the following error

Remove-AzureRmKeyVault : ScopeLocked: The scope '{scope}' cannot perform delete operation because following scope(s) are locked: {scope}

You need to issue a command to remove the lock in order to delete the resource. 

Remove-AzureRmResourceLock -LockName "VaultLock"

This used in conjunction with RBAC policies can keep your resources secure.

Michael B
  • 748
  • 3
  • 10