🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Storage account logging (Classic Diagnostic Setting) for queues should be enabled

Description

Storage Logging records details of requests (read, write, and delete operations) against your Azure queues. This policy identifies Azure storage accounts that do not have logging enabled for queues. As a best practice, enable logging for read, write, and delete request types on queues.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_queues_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_queues_logging_enabled --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when lower(sa.sku_tier) = 'standard'
    and (queue_logging_write and queue_logging_read and queue_logging_delete) then 'ok'
    else 'alarm'
  end as status,
  case
    when lower(sa.sku_tier) = 'standard'
    and (queue_logging_write and queue_logging_read and queue_logging_delete)
      then sa.name || ' storage account logging for queues is enabled.'
    else sa.name || ' storage account logging for queues is disabled for ' ||
      concat_ws(', ',
        case when not queue_logging_write then 'write' end,
        case when not queue_logging_read then 'read' end,
        case when not queue_logging_delete then 'delete' end
      ) || ' requests.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Tags

service = Azure/Storage