Description:
The 'Cross Tenant Replication' setting in Azure Storage Accounts enables replication of data across multiple tenants. This feature allows data to be replicated to storage accounts in other tenants, which could have security and compliance implications. Disabling cross-tenant replication ensures that data remains isolated within the tenant and is not shared or replicated across different organizational boundaries unless explicitly required.
Rationale:
Disabling 'Cross Tenant Replication' helps prevent potential data leaks or unauthorized sharing of data between different Azure Active Directory (AAD) tenants. By ensuring that replication is restricted to a single tenant, organizations can better control where and how their sensitive data is stored and prevent potential exposure to other tenants or external entities. This is particularly important for meeting security and compliance standards like GDPR, HIPAA, and SOC 2, which mandate strict control over data access and transfer.
Impact:
Disabling cross-tenant replication may limit the ability to replicate data across tenants for certain use cases, such as disaster recovery or data migration scenarios. Therefore, it is important to evaluate the business needs before applying this policy. However, for most use cases, keeping data within a single tenant is a better practice for maintaining security and compliance.
Default Value:
By default, Azure does not enable 'Cross Tenant Replication' for storage accounts. However, organizations should regularly verify the setting to ensure it has not been accidentally or maliciously enabled.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the target storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if 'Cross Tenant Replication' is enabled for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check replication settings:
In the left-hand menu, click on Replication under the "Settings" section of the storage account.
Verify that Cross Tenant Replication is not enabled.
Automated Implementation:
You can enforce this setting through Azure Policy to automatically disable 'Cross Tenant Replication' across all storage accounts.
Create a custom Azure Policy to ensure 'Cross Tenant Replication' is disabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Cross Tenant Replication is Not Enabled",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that 'Cross Tenant Replication' is disabled on all storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/replicationType",
"equals": "CrossTenant"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the policy, assign it to the relevant subscriptions or resource groups to ensure that 'Cross Tenant Replication' is disabled across all storage accounts in your environment.
Backout Plan:
If you need to re-enable cross-tenant replication (which should be carefully considered), follow these steps:
Sign in to the Azure portal with the appropriate permissions.
Navigate to the Azure Storage Account.
Go to the Replication settings:
In the left-hand menu, click on Replication under the "Settings" section.
Enable Cross Tenant Replication if necessary:
Choose the desired replication type that supports cross-tenant replication, such as Geo-zone-redundant storage (GZRS).
Save the changes.
If the setting was automated via Azure Policy, modify or remove the policy to allow cross-tenant replication.