🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Description

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.

Storage Analytics logging is not enabled by default for your storage account.

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each storage account, under Monitoring, click Diagnostics settings.
  3. Select the queue tab indented below the storage account.
  4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
  5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
  6. Select an appropriate destination.
  7. Click Save.

From Azure CLI

Use the below command to enable the Storage Logging for Queue service.

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

Default Value

By default storage account queue services are not logged.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_4_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_4_12 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when queue_logging_read and queue_logging_write and queue_logging_delete then 'ok'
    else 'alarm'
  end as status,
  case
    when queue_logging_read and queue_logging_write and queue_logging_delete
      then sa.name || ' queue service logging enabled for read, write, delete requests.'
    else sa.name || ' queue service logging not enabled for: ' ||
      concat_ws(', ',
        case when not queue_logging_write then 'write' end,
        case when not queue_logging_read then 'read' end,
        case when not queue_logging_delete then 'delete' end
      ) || ' requests.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 4.12
cis_level = 2
cis_section_id = 4
cis_type = automated
cis_version = v3.0.0
plugin = azure
service = Azure/Storage