Azure Storage Cross-Tenant Replication Disabled
ID: azure-storage-cross-tenant-replication-disabled
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
Description
Section titled “Description”Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches.
YAML Source
Section titled “YAML Source”id: azure-storage-cross-tenant-replication-disabledinfo: name: Azure Storage Cross-Tenant Replication Disabled author: princechaddha severity: high description: | Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches. impact: | Enabled Cross-Tenant Replication can lead to unauthorized data access and data leakage, posing significant security and compliance risks. remediation: | Disable the Cross-Tenant Replication feature for Azure Storage accounts to ensure data is not replicated across different Microsoft Entra tenants without authorization. reference: - https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: | code(1); for (let StorageAccount of iterate(template.storageAccountList)) { StorageAccount = JSON.parse(StorageAccount); set("name", StorageAccount.Name); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az storage account list --query '[*].{"Name":name}'
extractors: - type: json name: storageAccountList internal: true json: - '.[]'
- engine: - sh - bash source: | az storage account show --name "$name" --query 'allowCrossTenantReplication'
matchers-condition: and matchers: - type: word words: - 'false'
extractors: - type: dsl dsl: - '"Cross-Tenant Replication is enabled for " + name + ", posing a security risk"'# digest: 490a00463044022000ae1a04ecda351a200bbc28099b9ddca8bbaa6f20579cde6d31ae404b97227d02206c5b1363ed1c0f656c4a4d219af389035dbfe84597b4a1d3842a4f076a5e49ff:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/storageaccounts/azure-storage-cross-tenant-replication-disabled.yaml"