turbot/steampipe-mod-azure-compliance

Control: Ensure classic logging is enabled for Azure Blob service

Description

This control verifies that classic logging is enabled for the Azure Blob service. Classic logging captures read, write, and delete operations and stores them in a storage account for auditing and troubleshooting. While Azure Monitor diagnostic settings are the recommended approach for newer resources, some legacy environments may still rely on classic logging for operational visibility.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_blob_service_classic_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_blob_service_classic_logging_enabled --share

SQL

This control uses a named query:

select
sa.id as resource,
case
when lower(sku_tier) = 'premium' and kind in ('StorageV2', 'FileStorage') then 'skip'
when not (sa.blob_service_logging ->> 'Read') :: boolean
or not (sa.blob_service_logging ->> 'Write') :: boolean
or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm'
else 'ok'
end as status,
case
when lower(sku_tier) = 'premium' and kind in ('StorageV2', 'FileStorage') then sa.name || ' is premium ' || kind || ' storage account.'
when not (sa.blob_service_logging ->> 'Read') :: boolean
or not (sa.blob_service_logging ->> 'Write') :: boolean
or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' ||
concat_ws(', ',
case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end,
case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end,
case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end
) || ' requests.'
else name || ' blob service logging enabled for read, write, delete requests.'
end as reason
, sa.resource_group as resource_group
, sub.display_name as subscription
from
azure_storage_account sa,
azure_subscription sub
where
sub.subscription_id = sa.subscription_id;

Tags