Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request Modify Policy for Storage accounts should prevent cross tenant object replication

Open timmoh opened this issue 1 year ago • 3 comments

For the Policy "Storage accounts should prevent cross tenant object replication Azure BuiltIn Policy definition" should exist a Modify rule.

There is no BuiltIn Policy at the moment

Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant.

timmoh avatar Oct 16 '24 07:10 timmoh

@timmoh thanks for sharing, we'll investigate options and feedback.

Springstone avatar Oct 17 '24 06:10 Springstone

This should work

{
  "properties": {
    "displayName": "Azure Storage Deploy Storage Cross Tenant Object Replication",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Deploy config for Azure Storage Account Cross Tenant Object Replication. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "version": "1.0.0",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect Azure Storage",
          "description": "Enable or disable the execution of the policy Storage Cross Tenant Object Replication version Azure STorage"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      },
      "allowCrossTenantReplication": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Select Cross Tenant Object Replication Option",
          "description": "Select Storage Cross Tenant Object Replication"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": false
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/allowCrossTenantReplication",
                "notEquals": "[parameters('allowCrossTenantReplication')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "deny",
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Storage/storageAccounts/allowCrossTenantReplication",
              "value": "[parameters('allowCrossTenantReplication')]"
            }
          ]
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-Cross-Tenant-Replication",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Storage-Cross-Tenant-Replication",
}

timmoh avatar Oct 29 '24 12:10 timmoh

@timmoh if you would like to take a stab at contributing to the repo, you can get all the credit :D (submit to the next policy-refresh branch, not main). Otherwise, we'll incorporate your great contribution in our next refresh.

Springstone avatar Sep 10 '25 13:09 Springstone