turbot/steampipe-mod-azure-compliance

Control: Ensure classic logging is enabled for Azure Queue service

Description

This control ensures that classic logging is enabled for the Azure Queue service. It validates whether operations such as enqueue, dequeue, and delete are being captured via the legacy storage logging mechanism. This is especially relevant for older deployments where diagnostic settings are not configured.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_queue_service_classic_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_queue_service_classic_logging_enabled --share

SQL

This control uses a named query:

select
sa.id as resource,
case
when lower(sku_tier) = 'premium' then 'skip'
when queue_logging_read and queue_logging_write and queue_logging_delete then 'ok'
else 'alarm'
end as status,
case
when lower(sku_tier) = 'premium' then sa.name || ' is premium ' || kind || ' storage account.'
when queue_logging_read and queue_logging_write and queue_logging_delete
then sa.name || ' queue service logging enabled for read, write, delete requests.'
else sa.name || ' queue service logging not enabled for: ' ||
concat_ws(', ',
case when not queue_logging_write then 'write' end,
case when not queue_logging_read then 'read' end,
case when not queue_logging_delete then 'delete' end
) || ' requests.'
end as reason
, sa.resource_group as resource_group
, sub.display_name as subscription
from
azure_storage_account sa,
azure_subscription sub
where
sub.subscription_id = sa.subscription_id;

Tags