🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

Description

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis.

Storage Analytics logging is not enabled by default for your storage account.

Remediation

From Azure Portal

  1. From the default portal page select Storage Accounts.
  2. Select the specific Storage Account.
  3. Click the Diagnostics settings under the Monitoring section in the left column.
  4. Select the 'table' tab indented below the storage account.
  5. Click '+ Add diagnostic setting'.
  6. Select StorageRead, StorageWrite and StorageDelete options under the Logging section to enable Storage Logging for Table service.
  7. Select a destination for your logs to be sent to.

From Azure CLI

Use the below command to enable the Storage Logging for Table service.

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services t --log rwd --retention 90

Default Value

By default, storage account table service logging is disabled for read, write, an delete operations

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_3_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_3_14 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when table_logging_write and table_logging_read and table_logging_delete then 'ok'
    else 'alarm'
  end as status,
  case
    when table_logging_write and table_logging_read and table_logging_delete
      then sa.name || ' table service logging enabled for read, write, delete requests.'
    else sa.name || ' table service logging not enabled for: ' ||
      concat_ws(', ',
        case when not table_logging_write then 'write' end,
        case when not table_logging_read then 'read' end,
        case when not table_logging_delete then 'delete' end
      ) || ' requests.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account as sa,
  azure_subscription as sub
where
  sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 3.14
cis_level = 2
cis_section_id = 3
cis_type = automated
cis_version = v2.0.0
plugin = azure
service = Azure/Storage