🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Storage account logging (Classic Diagnostic Setting) for tables should be enabled

Description

Storage Logging records details of requests (read, write, and delete operations) against your Azure tables. This policy identifies Azure storage accounts that do not have logging enabled for tables. As a best practice, enable logging for read, write, and delete request types on tables.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_tables_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_tables_logging_enabled --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when lower(sa.sku_tier) = 'standard'
    and (table_logging_write and table_logging_read and table_logging_delete) then 'ok'
    else 'alarm'
  end as status,
  case
    when lower(sa.sku_tier) = 'standard'
    and (table_logging_write and table_logging_read and table_logging_delete)
      then sa.name || ' storage account logging for tables is enabled.'
    else sa.name || ' storage account logging for tables is disabled for ' ||
      concat_ws(', ',
        case when not table_logging_write then 'write' end,
        case when not table_logging_read then 'read' end,
        case when not table_logging_delete then 'delete' end
      ) || ' requests.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Tags

service = Azure/Storage