Protecting Azure Backup from malicious deletion

azure

I want to regularly back up a number of Windows servers (all Azure VM's) to an Azure Backup vault. My worry is that if my Azure account is compromised, an attacker could potentially delete the VM's, the storage accounts and the backup vault.

  1. Does Azure Backup provide any protection against this scenario?
  2. If not, what solution do you recommend? An obvious extra safety measure would be to have a separate Azure account for the backup.

You can use Resource Locks to protect resources from accidental / malicious deletion.

For instance, to apply a lock to a vault, you would use the following 

New-AzureRmResourceLock -LockName "VaultLock" -LockLevel CanNotDelete `
                        -ResourceGroupName MyvaultRG `
                        -ResourceName MyVault `
                        -ResourceType Microsoft.KeyVault/vaults

if you then attempt to delete you will get the following error

Remove-AzureRmKeyVault : ScopeLocked: The scope '{scope}' cannot perform delete operation because following scope(s) are locked: {scope}

You need to issue a command to remove the lock in order to delete the resource. 

Remove-AzureRmResourceLock -LockName "VaultLock"

This used in conjunction with RBAC policies can keep your resources secure.

Related

FTP Transfer Very Slow When Windows Firewall Enabled
Nginx Password Protect Entire Port Number 8081
Can I choose a sparse file as vdev for a zfs pool?
Reverse DNS does not match SMTP Banner [duplicate]
gateway iptables dns redirect
What alternatives to 'find' are there which will work in a cron environment in the rackspace cloud?
HAProxy health checks and changing server state
Does sendmail send everything to downstream smarthost in "single file"?
Looking for a powershell script that can pull a file from a set of PC's and FTP
How to install a newer version of PHP as a package?
Installation problems with CouchDB 1.6 on Ubuntu 15.10
How can I disable specific file type uploads globally in Apache?