Objective
Add a new scanner rule to detect Azure Storage Accounts that are not configured with geo-redundant replication (GRS or GZRS), leaving data at risk of permanent loss in a regional outage.
Background
Storage accounts using only locally redundant storage (LRS) or zone-redundant storage (ZRS) store data within a single region only. A regional disaster or outage can result in permanent data loss with no recovery path.
Real-World Breach Scenario
During the 2021 Azure regional outage in South Brazil, organisations using LRS-only storage lost access to critical data with no failover available. Those using GRS failed over automatically with zero data loss.
Compliance Mapping
- CIS Azure Benchmark: 3.1
- NIST CSF: PR.IP-4
- ISO 27001: A.17.2.1
- SOC 2: A1.2
Deliverables
Severity
MEDIUM
Category
Storage
Objective
Add a new scanner rule to detect Azure Storage Accounts that are not configured with geo-redundant replication (GRS or GZRS), leaving data at risk of permanent loss in a regional outage.
Background
Storage accounts using only locally redundant storage (LRS) or zone-redundant storage (ZRS) store data within a single region only. A regional disaster or outage can result in permanent data loss with no recovery path.
Real-World Breach Scenario
During the 2021 Azure regional outage in South Brazil, organisations using LRS-only storage lost access to critical data with no failover available. Those using GRS failed over automatically with zero data loss.
Compliance Mapping
Deliverables
scanner/rules/az_stor_005.py— scan() function using Azure SDKplaybooks/cli/fix_az_stor_005.sh— upgrade replication to GRScompliance/frameworks/cis_azure_benchmark.json— add AZ-STOR-005 entrycompliance/frameworks/nist_csf.json— add AZ-STOR-005 entrycompliance/frameworks/iso27001.json— add AZ-STOR-005 entrycompliance/frameworks/soc2.json— add AZ-STOR-005 entrySeverity
MEDIUM
Category
Storage