|   Trend Micro Cloud One™
Open menu

Check for Sufficient Instant Restore Retention Period

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 05 August 2020
Risk level: Medium (should be achieved)
Rule ID: VirtualMachines-020

Ensure that your Microsoft Azure virtual machines (VMs) have a sufficient snapshot instant restore retention period configured for data security and internal compliance. Instant recovery snapshots are stored together with the VM disk volumes to speed up the recovery point creation and the restore operations. Prior to running this rule by the Cloud Conformity engine, the instant restore retention period must be configured within the rule settings, on the Cloud Conformity account dashboard. Azure VM instant restore retention period can range from a minimum of 1 day to a maximum of 5 days.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Reliability

The Azure Backup Instant Restore feature is useful to retain VM snapshots along with their disk volumes for faster recovery. Having the right instant restore retention period set for your Azure virtual machines will enable your VM recovery strategy to follow best practices and enforce the compliance regulations available in your organization. Retaining VM instant recovery snapshots for a longer period of time will allow you to handle more efficiently the restoration process in the event of a failure.

Audit

To determine if your Azure VMs have a sufficient retention period configured for instant recovery snapshots, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period rule settings and note the retention period configured for the conformity rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines launched in the selected subscription.

06 Click on the name of the Azure virtual machine (VM) that you want to examine.

07 On the navigation panel, under Operations, select Backup to view the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name of the backup policy defined for the selected resource.

09 On the Backup policy panel, check the retention period set for the Instant Restore configuration attribute. If the retention period configured for the instant recovery snapshots taken by the selected virtual machine is not greater than or equal to the retention period identified at step no. 1, the selected Microsoft Azure virtual machine does not have a sufficient instant restore retention period configured.

10 Repeat steps no. 6 – 9 for each Azure virtual machine deployed in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period rule settings and note the retention period configured for the conformity rule.

02 Run backup vault list command (Windows/macOS/Linux) using custom query filters to list the name of each Azure Recovery Services vault available in the current subscription. A Recovery Services vault is a storage entity that retains backup data for various Azure resources such as virtual machines and SQL databases:

az backup vault list
    --resource-group cloud-shell-storage-westeurope
    --query '[*].name'

03 The command output should return the requested vault name(s):

[
  "cc-main-backup-vault"
]

04 Run backup item list command (Windows/macOS/Linux) using the name of the Azure Recovery Services vault that you want to examine as identifier parameter and custom query filters to describe the name of the backup policy set for each virtual machine launched in the current subscription. A backup policy specifies frequency and time at which specified Azure resources will be backed up and how long the backups/snapshots are retained:

az backup item list
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --output table
    --query '[*].properties.{"VirtualMachineName":friendlyName,"BackupPolicyName":policyName}'

05 The command output should return a table with the names of the virtual machines that use the Azure Backup service and the names of their associated backup policies:

VirtualMachineName    BackupPolicyName
------------------    ------------------
cc-project5-server    ProductionPolicy
cc-database-server    DatabasePolicy

06 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to examine as identifier parameter and custom query filters to obtain the retention period configured for instant recovery snapshots, that the selected policy has configured for its associated Azure virtual machine:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --name ProductionPolicy
    --query 'properties.instantRpRetentionRangeInDays'

07 The command output should return the number of days configured for instant restore retention period, within the selected backup policy:

2

If the retention period value returned by the backup policy show command output is not greater than or equal to the retention period identified at step no. 1, the Microsoft Azure virtual machine (VM) associated with the selected backup policy does not have a sufficient retention period configured for its instant recovery snapshots.

08 Repeat step no. 6 and 7 for each Microsoft Azure virtual machine with a backup policy configured, deployed in the current subscription.

09 Repeat steps no. 2 – 8 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure the instant restore retention period for your Microsoft Azure virtual machine snapshots, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list only the virtual machines launched in the selected subscription.

06 Click on the name of the Azure virtual machine that you want to reconfigure.

07 On the navigation panel, under Operations, select Backup to access the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name of the Azure Recovery Services vault associated with the selected VM to access the necessary backup vault.

09 In the navigation panel, under Manage, select Backup policies to access the vault's backup policies.

10 On the Backup policies page, click on the backup policy associated with the selected virtual machine (see Audit section part I to identify the right policy).

11 On the policy configuration page, within Instant Restore section, replace the value available in the Retain instant recovery snapshot(s) for box with the value copied at step no. 1, to change the instant restore retention period configured for the Azure virtual machine associated with the selected backup policy. Click Save to apply the configuration changes.

12 Repeat steps no. 6 – 11 for each Azure virtual machine (VM) that you need to reconfigure, available in the selected subscription.

13 Repeat steps no. 4 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to update as identifier parameter (see Audit section part II to identify the right backup policy), to list the configuration properties available for the selected policy:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --name ProductionPolicy

03 The command output should return the requested configuration properties. This information is required later when the selected policy is updated with the correct retention period:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 2,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

04 Update the backup policy returned at the previous step by replacing the instant restore retention period for virtual machine snapshots, available as value for the "properties.instantRpRetentionRangeInDays" configuration attribute (highlighted), with the value copied at step no. 1. Once the selected policy is updated, save the JSON document to a file named instant-recovery-backup-policy.json:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

05 Run backup policy set command (Windows/macOS/Linux) using the name of backup policy document defined at the previous step as value for the --policy parameter (i.e. instant-recovery-backup-policy.json) to update the selected backup policy in order to set the optimal instant restore retention period for the associated Azure virtual machine (VM):

az backup policy set
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy"
    --policy instant-recovery-backup-policy.json

06 The command output should return the configuration metadata for the modified policy:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

07 Repeat steps no. 2 – 6 for each Azure virtual machine (VM) that you need to update, available in the current subscription.

08 If required, repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check for Sufficient Instant Restore Retention Period

Risk level: Medium