Profile Applicability:
 Level 1

Description:
 Cross Subscription Restore (CSR) allows restoring backup data from a Recovery Services Vault in one Azure subscription to resources in a different subscription. Disabling CSR restricts restores to within the same subscription, enhancing data governance and preventing unauthorized cross-subscription data transfers.

Rationale:
 Disabling CSR limits data exposure across subscription boundaries, enforcing stricter data governance and compliance with organizational policies. This reduces the risk of unintended data access or leakage between different business units or customers.

Impact:

  • Pros:

    • Enhances control over backup data restoration scope.

    • Supports compliance with data residency and security policies.

    • Reduces risk of cross-subscription data breaches.

  • Cons:

    • Limits flexibility for multi-subscription disaster recovery scenarios.

    • May require alternative recovery workflows.

Default Value:
 CSR may be enabled or disabled based on vault configuration; defaults vary.

Pre-requisites:

  • Permissions to manage Recovery Services Vault settings.

  • Knowledge of organizational subscription boundaries.

Remediation

Test Plan:

Using Azure Portal:

  1. Navigate to https://portal.azure.com.

  2. Select Recovery Services Vaults and choose the vault.

  3. Under Backup Infrastructure or Properties, locate Cross Subscription Restore setting.

  4. Verify it is set to Disabled or Permanently Disabled.

Using Azure CLI:

1. Check CSR status:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.crossSubscriptionRestoreFlag

2. Confirm value is Disabled or Permanently Disabled.

Implementation Plan

Using Azure Portal:

  1. In vault settings, set Cross Subscription Restore to Disabled or Permanently Disabled.

  2. Save and validate.

Using Azure CLI:

1. Disable CSR:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=Disabled

2. For permanent disablement:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=PermanentlyDisabled

3. Confirm changes.

Backout Plan

Using Azure Portal:

  1. Re-enable CSR if needed by setting it to Enabled.

  2. Inform stakeholders.

Using Azure CLI:

1. Enable CSR:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.crossSubscriptionRestoreFlag=Enabled


References: