turbot/steampipe-mod-azure-compliance

Control: Ensure classic logging is enabled for Azure Table service

Description

This control checks that classic logging is enabled for the Azure Table service. Classic logging provides auditing for read, write, and delete actions by recording them in the associated storage logs. This is important in legacy scenarios where diagnostic settings are not yet in place.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_table_service_classic_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_table_service_classic_logging_enabled --share

SQL

This control uses a named query:

select
sa.id as resource,
case
when lower(sku_tier) = 'premium' then 'skip'
when table_logging_write and table_logging_read and table_logging_delete then 'ok'
else 'alarm'
end as status,
case
when lower(sku_tier) = 'premium' then sa.name || ' is premium ' || kind || ' storage account.'
when table_logging_write and table_logging_read and table_logging_delete
then sa.name || ' table service logging enabled for read, write, delete requests.'
else sa.name || ' table service logging not enabled for: ' ||
concat_ws(', ',
case when not table_logging_write then 'write' end,
case when not table_logging_read then 'read' end,
case when not table_logging_delete then 'delete' end
) || ' requests.'
end as reason
, sa.resource_group as resource_group
, sub.display_name as subscription
from
azure_storage_account as sa,
azure_subscription as sub
where
sub.subscription_id = sa.subscription_id;

Tags