Terraform Geo Replication Disabled
Description
Identifies Azure Storage Accounts configured with Locally Redundant Storage (LRS), which means geo-replication is disabled. Without geo-replication, data is not automatically replicated to a secondary region, increasing the risk of data loss during regional outages or disasters.
Detection Strategy
• Scans Terraform configuration files for Azure Storage Account resources
• Checks if the 'account_replication_type' attribute is explicitly set to 'LRS'
• Reports a vulnerability when Storage Accounts use local redundancy only, recommending enabling geo-replication for better disaster recovery
Vulnerable code example
resource "azurerm_storage_account" "vulnerable" {
name = "mystorageaccount"
resource_group_name = "myresourcegroup"
location = "eastus"
account_tier = "Standard"
account_replication_type = "LRS"
blob_properties { # Vulnerable: Setting delete retention to minimum value increases data loss risk
delete_retention_policy {...✅ Secure code example
resource "azurerm_storage_account" "secure" {
name = "mystorageaccount"
resource_group_name = azurerm_resource_group.example.name # Reference resource group dynamically
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS" # Use geo-redundant storage for better disaster recovery
enable_https_traffic_only = true # Enforce secure transfer
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.