Control: Storage account logging (Classic Diagnostic Setting) for blobs should be enabled
Description
Storage Logging records details of requests (read, write, and delete operations) against your Azure blobs. This policy identifies Azure storage accounts that do not have logging enabled for blobs. As a best practice, enable logging for read, write, and delete request types on blobs.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_blobs_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_blobs_logging_enabled --shareSQL
This control uses a named query:
select sa.id as resource, case when lower(sa.sku_tier) = 'standard' and (not (sa.blob_service_logging ->> 'Read') :: boolean or not (sa.blob_service_logging ->> 'Write') :: boolean or not (sa.blob_service_logging ->> 'Delete') :: boolean) then 'alarm' else 'ok' end as status, case when lower(sa.sku_tier) = 'standard' and (not (sa.blob_service_logging ->> 'Read') :: boolean or not (sa.blob_service_logging ->> 'Write') :: boolean or not (sa.blob_service_logging ->> 'Delete') :: boolean) then name || ' storage account logging for blobs is disabled for' || concat_ws(', ', case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end, case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end, case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end ) || ' requests.' else name || ' storage account logging for blobs is enabled.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;