Azure Policy can block dangerously broad blob lifecycle rules in storage accounts
Azure Blob Storage lifecycle rules without filters such as prefixMatch or blobIndexMatch apply to every blob in a storage account, risking unintended deletions or tier transitions. A developer encountered this risk while working on automated blob cleanup and sought a preventive guardrail rather than relying solely on code reviews. Azure Policy can be configured to target storage account management policies and deny any lifecycle rule that lacks the required filters. A custom policy definition, written in Bicep, checks for missing filter fields and blocks the change if at least one unscoped rule is detected. This approach enforces safer defaults especially in shared development or test environments where manual portal changes can bypass standard review processes.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in