I have a ton of Azure storage accounts. I would like to prevent any of my users from replicating data to a storage account outside the subscription e.g. they can replicate to another region for the same environment but not a different account. Is there a clear way to do this?
Asked
Active
Viewed 54 times
0
-
What do you mean by replication here? The built in replication for Azure Storage only allows you to replicate to another region, so are you talking about some sort of manual copy by the user? ā Sam Cogan Feb 10 '21 at 09:10
-
I want to prevent a user from replicating data to a storage account that is under a different subscription. ā Jackson Feb 10 '21 at 22:14
-
In other words, Iām trying to prevent an inside threat from exhilarating data to their own personal blob storage. ā Jackson Feb 10 '21 at 22:14
1 Answers
1
The built in geo-replication in Azure only support replication to a secondary region in the same account, so this is not an avenue that could be used to egress data.
Given that, the scenario you are talking about is essentially a user downloading the data and then uploading to another storage account, or using something like AzCopy to move data from one account to another. There is nothing built into Azure that would prevent the user from doing that if they have the ability to download data from your storage account. There are some things you could look to do to minimise the risk:
- Only provide access to storage accounts to users who need them
- Do not provide users with access to storage account keys and instead use SaS tokens which are timebound and restricted to only the resources they need access to
- Use Privileged Identity Management to require elevation with approval for any user who must have access to the storage account in the Azure Portal or CLI
- Enrol your storage accounts in Azure Security centre to detect suspicious activity
- Restrict access to your storage account using IP restrictions to only allow access from specific locations
Sam Cogan
- 38,736
- 6
- 78
- 114