Azure Storage account uses geo-redundant replication (GRS, GZRS, RA-GRS, or RA-GZRS)
storage_geo_redundant_enabled
Azure Storage accounts configured for geo-redundant replication via Standard_GRS, Standard_GZRS, Standard_RAGRS, or Standard_RAGZRS.
The setting indicates data is copied to a paired secondary region, with RA-* allowing read access during primary-region unavailability.
Risk
Absent geo-replication, data resides in one region, undermining availability and durability during regional failures. Disasters can cause prolonged downtime or unrecoverable loss. With geo-replication but without RA-*, the secondary is unreadable, increasing RTO and interrupting business continuity.
prowler azure --checks storage_geo_redundant_enabled
Recommendation
Adopt GRS/GZRS for critical workloads (prefer Standard_GZRS where supported) to achieve cross-region resilience. If read continuity is required, use Standard_RAGRS or Standard_RAGZRS. Define RPO/RTO, regularly test failover, and design for defense in depth across regions and zones.
Remediation
az storage account update --name <storage-account-name> --resource-group <resource-group-name> --sku Standard_GRS
- In the Azure portal, go to Storage accounts and open your storage account
- Under Data management, select Redundancy
- Change Redundancy to GRS, GZRS, RA-GRS, or RA-GZRS
- Click Save
Source Code
Resource Type
microsoft.storage/storageaccounts