Control: Ensure classic logging is enabled for Azure Blob service
Description
This control verifies that classic logging is enabled for the Azure Blob service. Classic logging captures read, write, and delete operations and stores them in a storage account for auditing and troubleshooting. While Azure Monitor diagnostic settings are the recommended approach for newer resources, some legacy environments may still rely on classic logging for operational visibility.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_blob_service_classic_logging_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_blob_service_classic_logging_enabled --share
SQL
This control uses a named query:
select sa.id as resource, case when lower(sku_tier) = 'premium' and kind in ('StorageV2', 'FileStorage') then 'skip' when not (sa.blob_service_logging ->> 'Read') :: boolean or not (sa.blob_service_logging ->> 'Write') :: boolean or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm' else 'ok' end as status, case when lower(sku_tier) = 'premium' and kind in ('StorageV2', 'FileStorage') then sa.name || ' is premium ' || kind || ' storage account.' when not (sa.blob_service_logging ->> 'Read') :: boolean or not (sa.blob_service_logging ->> 'Write') :: boolean or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' || concat_ws(', ', case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end, case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end, case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end ) || ' requests.' else name || ' blob service logging enabled for read, write, delete requests.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;