Immutable policies are supported for new and existing storage accounts. The following table shows the supported storage account types for each policy type: 02 The output of the command must return the requested storage account IDs (names): a legal hold at the container level must be associated with one or more custom alphanumeric tags that serve as identifier strings. For example, a tag might contain a case ID or an event name. Azure Storage Blob Inventory provides an overview of the containers in your storage accounts and the blobs, snapshots, and blob versions they contain. You can use the Blobin Inventory report to understand the attributes of blobs and containers, including whether an immutability policy is configured for a resource. If you enable software removal of blobs and then configure an immutability policy, all blobs that have already been software-removed will be permanently deleted after the software deletion retention policy expires. Blobs deleted in set mode can be restored during the software wipe retention period. A blob or version that has not yet been removed software is protected by the immutability policy and cannot be removed software-based until the time-based retention policy has expired or the legal lock has been lifted. If the container has an existing legal archive at the container level, it cannot be migrated until the legal retention system has been removed. Under Immutable Blob Storage, find the Scope field. If the container is configured with a default version-level retention policy, the scope is set to Version, as shown in the following figure: You can enable version-level immutability support only when you create a new storage account. Microsoft engaged cohasset Associates, a leading independent valuation firm specializing in records management and information governance, to evaluate the immutable storage of blobs and meet the specific requirements of the financial services industry.
Cohasset confirmed that immutable memory, when used to store blobs in a WORM state, meets the relevant storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f). Microsoft has focused on this set of rules because it is the world`s most prescriptive guide to record retention for financial institutions. Support for legal retention policies: If the retention period is not known, users can set legal retention periods to retain data immutably until the legal retention obligation is lifted. If you do not pay your bill and your account has an active retention policy based on time, the normal data retention policies will apply as set out in the terms of your agreement with Microsoft. For general information, see Managing Data at Microsoft. 03 On the Storage Accounts page, in the Subscription Filter box, select the subscription that you want to review. When you define the immutable blob storage policy, you can choose between legal retention and time-based retention in the Azure portal. According to the document arm template supports immutable blob storage. However, only applications with immutabilityPeriodSinceCreationInDays are accepted.
If I try to define it without defining it, I get: There is no additional capacity charge for using immutable storage. Immutable data is priced in the same way as editable data. For more information about Azure Blob storage pricing, see the Azure Storage pricing page. 1 Microsoft recommends that you upgrade current v1 accounts to general v2 accounts so that you can take advantage of more features. To update an existing v1 general storage account, see Update a storage account. 01 Run the Storage Account List command (Windows/macOS/Linux) using custom query filters to describe the identifier of each storage account available in the current Azure subscription: How do I set the legal lock on the Azure storage account container in the ARM template? If version-level immutability policy support has not been enabled for a storage account or container, all immutability policies are limited to the container. A container supports an immutability policy and a legal lock. Policies apply to all objects in the container. According to my research, the Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies resource type can only be used to create time-based retention policies. In the meantime, when creating time-based retention policies, the immutabilityPeriodSinceCreationInDays parameter is required. More information can be found here and here.
To lock a policy using PowerShell, call the az storage blob immutability-policy set command and set the –policy-mode parameter to Locked. You can also change the expiration at the time you lock the policy. Ensure that immutable blob storage is enabled for Microsoft Azure Storage blob containers that contain sensitive and business-critical information. You can use immutable blob storage to store critical production data objects in the Write Once, Read Many (WORM) state. This state renders the data indelible and cannot be changed during a user-specified time interval. Azure blobs can be created and read for the duration of the configured retention interval, but cannot be edited or deleted. The feature supports two types of policies that you can apply to a container to store data in the specified container in an immutable, deletion-protected state:1. A time-based immutability policy – this policy can be used for regulatory compliance to block data for future processing. After the policy is locked, it cannot be unlocked.2. A legal retention policy: This allows you to set an unlimited lock on all blobs in a container.
If a legal lock is set, the container data is placed in a delete-protected state and a change-protected state. Regulatory compliance: Immutable storage for Azure blob storage helps organizations comply with SEC 17a-4(f), CFTC 1.31(d), FINRA, and other regulations. Select Review + Create to check your account settings and create the storage account. Before you can apply a time-based retention policy to a blob version, you must enable version-level immutability support. You can enable version-level immutability support for a new storage account or for a new or existing container. To migrate a container to support version-level immutable storage using PowerShell, first ensure that a container-level temporal retention policy exists for the container. To create one, call Set-AzRmStorageContainerImmutabilityPolicy. Depending on the scope, you can configure both a time-based retention policy and a legal hold for a resource (container or blob version).
If software removal of blobs is configured for a storage account, it applies to all blobs in the account, regardless of whether a legal or temporal retention policy is in effect. Microsoft recommends that you enable software removal for additional protection before you apply immutability policies. The feature is available in all Azure public regions. Configurable policies allow users to keep Azure Blob storage data in an immutable state where blobs can be created and read, but cannot be modified or deleted. To configure version-level immutability policies for an existing container, you must migrate the container to support version-level immutable storage. The container migration may take some time and cannot be undone. You can migrate 10 containers simultaneously per storage account. 08 On the access policy configuration page, see the Immutable Blob Storage list for the retention policies that are set.
If no immutable storage retention policy is configured, the Immutable Blob Storage Protection feature is not enabled for the selected Azure Storage blob container. Immutable storage for Azure Blob storage allows users to store business-critical data in a write once, read many (WORM) state. In the WORM state, data cannot be modified or deleted during a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overrides and deletions. Blob container-level configuration: With immutable storage for Azure Storage blobs, users can configure time-based retention policies and legal retention tags at the container level. Users can create time-based retention policies, lock policies, extend retention intervals, set legal locks, remove legal locks, and more through simple container-level settings. The policies apply to all blobs in the container, whether they are existing or new blobs. 03 Run the storage container list command (Windows/macOS/Linux) using the name of the storage account you want to examine as an identifier parameter and custom query filters to determine the configuration status of immutable storage retention policies (that is, time-based immutability policy and legal retention policy) that are configured for each blob container available in the selected storage account : Additionally, the Azure ARM template does not currently provide a resource type to create a policy to define legal retention.