Azure Storage Accounts Without Proper Replication
Description
Azure Storage Account provides scalable and secure storage for a wide range of data solutions. A key feature of the Storage Account service is its ability to replicate data, ensuring data durability and availability. Replication copies your data, either within the same data center, to a second data center, or across regions, providing protection against unexpected hardware failures, datacenter outages, or even large-scale events like natural disasters.
The following replication types are recommended for ensuring high durability and availability of data:
- GRS (Geo-Redundant Storage): Cross-regional replication to protect against regional unavailability.
- RAGRS (Read-Access Geo-Redundant Storage): Similar to GRS, but also provides read-only access to the data in the secondary location.
- GZRS (Geo-Zone-Redundant Storage): Combines the high availability provided by replication across availability zones with protection from regional outages.
- RAGZRS (Read-Access Geo-Zone-Redundant Storage): Provides read-only access to the data in the secondary location, and combines the advantages of GZRS.
This policy ensures that Azure Storage Accounts are configured to use one of the recommended replication methods, safeguarding your data against local and regional disruptions.
Code Example
resource "azurerm_storage_account" "example" {
name = "examplestoracc"
# ... other configurations ...
+ account_replication_type = "GRS" # Or use RAGRS, GZRS, or RAGZRS as per your requirement.
# ... other configurations ...
}Remediation
Terraform
Resource:
- azurerm_storage_account
Arguments:
- account_replication_type
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0713 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_206 |