Azure storage account logging for queues is disabled
Description
The Azure Queue Storage service stores messages that may be read by any client with access to the storage account. A queue may contain an unlimited number of messages, each of which can be up to 64KB in size when using version 2011-08-18 or newer. Storage Logging takes place server-side recording details in the storage account for both successful and failed requests. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: timing information, for example start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of request and response messages. Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.
Code Example
resource "azurerm_storage_account" "example" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
queue_properties {
+ logging {
delete = true
read = true
write = true
version = "1.0"
retention_policy_days = 10
}
}
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * Storage Accounts*.
. Select the specific * Storage Account*.
. From the * Monitoring* (classic) section, select the * Diagnostics logs* (classic) blade.
. Set the * Status* to * On*.
. Select * Queue properties*.
. Navigate to the * Logging* section to enable * Storage Logging for Queue service*.
. Select * Read*, * Write* and * Delete* options.
- CLI Command*
To enable the * Storage Logging for Queue service*, use the following command: `az storage logging update --account-name & lt;storageAccountName> --account-key & lt;storageAccountKey> --services q --log rwd --retention 90 ` === Fix - Buildtime
Terraform
- Resource: azurerm_storage_account
- Arguments: logging + hour_metrics + minute_metrics
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0544 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_33 |