🛡️ Azure Storage Account is not configured to use geo-redundant storage🟢
- Contextual name: 🛡️ Storage Account is not configured to use geo-redundant storage🟢
- ID:
/ce/ca/azure/storage/geo-redundant-storage - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logic
Description
Description
Verify that critical Azure Storage Accounts are configured with geo-redundant storage.
Azure Storage offers multiple replication options to enhance data durability and availability. Locally Redundant Storage (LRS) replicates data synchronously three times within a single physical location (i.e., a single data center), offering basic least expensive protection against hardware failures.
Rationale
Although LRS provides resilience against local hardware issues such as drive or server rack failures, it does not offer protection against data center-wide disruptions—such as those caused by natural disasters, power outages, or large-scale equipment failures.
For critical storage accounts, use a geo-redundant replication option:
Geo-Redundant Storage (GRS): Replicates data to a secondary geographic region.
Read-Access Geo-Redundant Storage (RA-GRS): Provides read access to the secondary region.
Geo-Zone-Redundant Storage (GZRS) and Read-Access Geo-Zone-Redundant Storage (RA-GZRS): Combine zone redundancy in the primary region with geo-redundancy to a secondary region.
... see more
Remediation
Remediation
Important Considerations
- Refer to the official Microsoft documentation for up-to-date guidance on limitations, replication options, and capabilities.
- Always validate replication changes in a non-production environment before applying them in production to avoid service disruptions or data loss.
- Select a geo-redundant target SKU such as
Standard_GRS,Standard_RAGRS,Standard_GZRS, orStandard_RAGZRS.Switching to Geo-Redundant Storage
Azure CLI
az storage account update \
--name {{storage-account-name}} \
--resource-group {{resource-group-name}} \
--sku {{sku}}PowerShell
Set-AzStorageAccount `
-ResourceGroupName "{{resource-group-name}}" `
-Name "{{storage-account-name}}" `
-SkuName "{{sku}}"Note: To migrate to Geo-Zone-Redundant Storage (GZRS), you must first switch the account to GRS. Afterward, you can convert it to GZRS using the migration commands described in the next section.
Conversion to Geo-Zone-Redundant Storage
A redundancy "conversion" is the process of changing the zone-redundancy aspect of a storage account, such as converting from GRS to Geo-Zone-Redundant Storage (GZRS).
... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v5.0.0 → 💼 9.3.11 Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts (Automated) | 1 | no data | |||
| 💼 CIS Azure v6.0.0 → 💼 9.3.11 Ensure Redundancy is Set to 'geo-redundant storage (GRS)' on Critical Azure Storage Accounts (Automated) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 System Configuration | 61 | no data |