Storage account has cross-tenant replication disabled
storage_cross_tenant_replication_disabled
Azure Storage accounts are assessed for whether cross-tenant object replication is disallowed via AllowCrossTenantReplication=false, limiting replication policies to the same tenant.
Risk
Permitting cross-tenant replication can copy sensitive blobs into external tenants, undermining confidentiality. A compromised or mismanaged destination enables data exfiltration; mirrored updates/deletes can impact integrity and retention, complicating auditability and incident response.
prowler azure --checks storage_cross_tenant_replication_disabled
Recommendation
Enforce AllowCrossTenantReplication=false and keep replication within the same tenant. Apply least privilege and separation of duties for replication management, backed by policy-based governance to prevent drift. If cross-tenant transfer is required, use formal data-sharing controls, monitoring, and time-bound approvals.
Remediation
az storage account update --name <storage-account-name> --resource-group <resource-group> --allow-cross-tenant-replication false
- In the Azure portal, go to Storage accounts and open your storage account
- Under Data management, select Object replication
- Click Advanced settings
- Uncheck Allow cross-tenant replication
- Click OK/Save
- If the option is unavailable, delete any existing cross-tenant object replication policies first, then retry
Source Code
Resource Type
microsoft.storage/storageaccounts