More Info:

Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled, to allow you to restore your PostgreSQL servers to a different Azure region in the event of a regional outage or a disaster.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of not having Geo-Redundant Backups enabled in Azure, follow these step-by-step instructions:
  1. Log in to the Azure portal at https://portal.azure.com/.
  2. Navigate to the resource group that contains the storage account you want to remediate.
  3. Select the storage account from the list of resources.
  4. In the left-hand menu, click on “Backup”.
  5. In the “Backup” menu, click on “Backup policy”.
  6. Click on “Edit”.
  7. In the “Policy details” section, select “Geo-redundant” from the “Replication” drop-down menu.
  8. Click on “Save”.
After completing these steps, Geo-Redundant Backups will be enabled for the selected storage account. It is recommended to regularly review and update backup policies to ensure that they align with your business continuity and disaster recovery requirements.

To remediate the misconfiguration of not having Geo-Redundant Backups enabled in Azure using Azure CLI, you can follow these steps:
  1. Open the Azure CLI command prompt or terminal.
  2. Login to your Azure account using the command: 
    az login
  3. Once you are logged in, set the target subscription using the command: 
    az account set --subscription <subscription_id>
  4. Next, enable Geo-Redundant Backups for the desired resource group using the command: 
    az backup vault backup-properties set --backup-management-type AzureIaasVM --resource-group <resource_group_name> --vault-name <vault_name> --backup-storage-redundancy GeoRedundant
    Here, replace <resource_group_name> with the name of the resource group where the backup vault is located and <vault_name> with the name of the backup vault.
  5. Verify the backup properties using the command: 
    az backup vault backup-properties show --backup-management-type AzureIaasVM --resource-group <resource_group_name> --vault-name <vault_name>
    This command will display the backup properties for the specified backup vault.
  6. Once you have verified that Geo-Redundant Backups have been enabled, you can exit the Azure CLI using the command: 
    exit
With these steps, you should be able to remediate the misconfiguration of not having Geo-Redundant Backups enabled in Azure using Azure CLI.
To remediate the misconfiguration of not having Geo-Redundant Backups enabled in Azure using Python, you can use the Azure SDK for Python. Here are the step-by-step instructions:
  1. Install the Azure SDK for Python using pip:
pip install azure-mgmt-recoveryservicesbackup
  1. Import the necessary modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.recoveryservicesbackup import RecoveryServicesBackupClient
from azure.mgmt.recoveryservicesbackup.models import ProtectionIntent
  1. Set up the authentication credentials using a service principal:
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)
  1. Instantiate the RecoveryServicesBackupClient using the authentication credentials:
client = RecoveryServicesBackupClient(credentials, '<subscription_id>')
  1. Get the list of protection intents:
protection_intents = client.protection_intents.list()
  1. Check if Geo-Redundant Backups are enabled for each protection intent:
for protection_intent in protection_intents:
    if protection_intent.properties.backup_management_type == 'AzureIaasVM':
        if not protection_intent.properties.is_geo_redundant:
            # Enable Geo-Redundant Backups
            protection_intent.properties.is_geo_redundant = True
            client.protection_intents.create_or_update(
                protection_intent.name,
                protection_intent
            )
  1. Save the changes by calling create_or_update on each protection intent that had Geo-Redundant Backups enabled.
That’s it! With these steps, you can remediate the misconfiguration of not having Geo-Redundant Backups enabled in Azure using Python.