iCompaas Support

Profile Applicability:
 Level 1

Description:
 Cross Subscription Restore (CSR) enables restoring backup data from a Recovery Services Vault in one Azure subscription to a resource in another subscription. Disabling CSR restricts restore operations to within the same subscription, reducing the risk of unauthorized data transfer or exposure across subscription boundaries.

Rationale:
 Disabling CSR enforces stricter data governance by limiting backup data restoration within the same subscription, helping prevent data leakage or unintended access across organizational boundaries. This supports compliance with data residency, privacy, and security policies.

Impact:

• Pros:
  

  • Enhances data control and reduces risk of cross-subscription data exposure.
    

  • Simplifies compliance with organizational and regulatory data handling requirements.
    

• Cons:
  

  • May limit flexibility in multi-subscription recovery scenarios.
    

  • Requires alternative processes for cross-subscription disaster recovery.
    

Default Value:
 CSR is often enabled or disabled based on vault configuration and organizational policies; the default varies.

Pre-requisites:

• Access to configure Recovery Services Vault settings.
  

• Understanding of organizational subscription boundaries and data governance policies.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Go to Recovery Services Vaults and select the target vault.
   

3. Under Backup Infrastructure or Properties, find the Cross Subscription Restore setting.
   

4. Verify that it is set to Disabled or Permanently Disabled.
   

Using Azure CLI:

1. Check the CSR setting:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.crossSubscriptionRestoreFlag

2. Confirm the value is Disabled or Permanently Disabled.

Implementation Plan

Using Azure Portal:

1. In the vault settings, set Cross Subscription Restore to Disabled or Permanently Disabled as per organizational policy.
   

2. Save and verify the configuration.
   

Using Azure CLI:

1. Disable CSR via CLI:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=Disabled

2. Or for permanent disablement:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=PermanentlyDisabled

3. Confirm the update.

Backout Plan

Using Azure Portal:

1. Revert the CSR setting to Enabled if necessary for operational requirements.
   

2. Communicate with stakeholders about impacts.
   

Using Azure CLI:

1. Enable CSR if needed:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=Enabled

References:

• Azure Backup Cross Subscription Restore Overview
  

• Manage Recovery Services Vault Settings