Skip to main content

πŸ“ Azure Storage Account Cross Tenant Replication is enabled 🟒

  • Contextual name: πŸ“ Cross Tenant Replication is enabled 🟒
  • ID: /ce/ca/azure/storage/disable-cross-tenant-replication
  • Located in: πŸ“ Azure Storage

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-397dd59e

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-397dd59e1

Logic​

Description​

Open File

Description​

Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization.

Rationale​

Disabling Cross Tenant Replication minimizes the risk of unauthorized data access and ensures that data governance policies are strictly adhered to. This control is especially critical for organizations with stringent data security and privacy requirements, as it prevents the accidental sharing of sensitive information.

Impact​

Disabling Cross Tenant Replication may affect data availability and sharing across different Azure tenants. Ensure that this change aligns with your organizational data sharing and availability requirements.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Storage Accounts.
  2. For each storage account, under Data management, click Object replication.
  3. Click Advanced settings.
  4. Uncheck Allow cross-tenant replication.
  5. Click OK.

From Azure CLI​

Replace the information within <> with appropriate values:

az storage account update --name <storageAccountName> --resource-group <resourceGroupName> --allow-cross-tenant-replication false

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 3.16 Ensure 'Cross Tenant Replication' is not enabled - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 4.16 Ensure 'Cross Tenant Replication' is not enabled (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery10
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services33