Storage Accounts outside Europe

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.AS.01
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should have region in('northeurope', 'westeurope', 'norwayeast', 'francecentral', 'swedencentral', 'germanywestcentral') and (secondaryRegion in('northeurope', 'westeurope', 'norwaywest', 'francesouth', 'swedensouth', 'germanynorth') or secondaryRegion isEmpty())

REMEDIATION

From Portal

1. Sign in to the Azure portal at https://portal.azure.com/.
2. Go to Storage accounts select Create.
3. In the region tab select - northeurope/ westeurope/norwayeast/francecentral/swedencentral/germanywestcentral.
4. Fill other required details
5. Click Create.

From TF
Set the 'location' argument as 'North Europe' or any Europe region:

resource "azurerm_storage_account" "example" {
	name                     = "storageaccountname"
	resource_group_name      = azurerm_resource_group.example.name
	location                 = "North Europe"
	account_tier             = "Standard"
	account_replication_type = "GRS"
	
	tags = {
		environment = "staging"
	}
}

From Command Line
Run

az storage account create --name ACCOUNTNAME --resource-group RESOURCEGRP --location northeurope --sku Standard_RAGRS --kind StorageV2

References

1. https://azure.microsoft.com/en-us/global-infrastructure/regions/#services
2. https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account
3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
4. https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

• Azure GDPR Readiness
• CloudGuard Azure All Rules Ruleset