Prevention of replication in Azure blob storage

azure replication blob-storage

The built in geo-replication in Azure only support replication to a secondary region in the same account, so this is not an avenue that could be used to egress data.

Given that, the scenario you are talking about is essentially a user downloading the data and then uploading to another storage account, or using something like AzCopy to move data from one account to another. There is nothing built into Azure that would prevent the user from doing that if they have the ability to download data from your storage account. There are some things you could look to do to minimise the risk:

  • Only provide access to storage accounts to users who need them
  • Do not provide users with access to storage account keys and instead use SaS tokens which are timebound and restricted to only the resources they need access to
  • Use Privileged Identity Management to require elevation with approval for any user who must have access to the storage account in the Azure Portal or CLI
  • Enrol your storage accounts in Azure Security centre to detect suspicious activity
  • Restrict access to your storage account using IP restrictions to only allow access from specific locations

Related

What does {"ResourceType":"runtimeconfig.v1beta1.waiter","ResourceErrorCode":"504","ResourceErrorMessage":"Timeout expired."} mean?
Ingress Nginx SSL 503 Error
linux - how to list partitions of specific type?
Using cron to automate backing up server with rsync doesn't work [duplicate]
Set parameters for Ubuntu's alias
How do I install cuda for Ubuntu studio 21.04?
How do I successfully configure pi-fancontrol on a Pi 4?
flatpak calibre: Cannot read from /home/nicholas/in.epub (permissions?)
Newly installed 20.04 not showing up in boot list
Ubuntu malformed line problem [duplicate]
How to add a folder with .desktop files?
How do I remove HHMMSS from a filename in Linux/Unix? [duplicate]