Ensure that Application Service Logs are Enabled for Containerized Function Apps

Application Service Logging gathers STDOUT (commands normal output) and STDERR (error messages) output from the container. The output logs are saved via FTP/FTPS and can be viewed at the configured endpoint.

Risk Level: Low
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.LOG.11
Covered by Spectral: No
Category: Compute

GSL LOGIC

FunctionApp should have config.httpLoggingEnabled=true

REMEDIATION

From Portal

  1. Sign on to Azure portal and navigate to 'Function App'
  2. Click on the name of the Function App service web you want to examine
  3. In the navigation panel,under 'Monitoring', select 'App service logs'.
  4. Make sure to Enable this feature.

From TF
Set the 'app_service_logs' argument :

resource 'azurerm_linux_function_app' 'example' {
	..
	app_service_logs {
		..
		disk_quota_mb = AMOUNT_OF_DISK_SPACE
		retention_period_days = RETENTION_PERIOD
		..
	}
	..
}

From Command Line
Run

az functionapp create --name FUNCTIONAPP --resource-group RESOURCEGROUPNAME --storage-account STORAGEACCOUNT --consumption-plan-location REGION --deployment-container-image-name IMAGE

References

  1. https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#enable-application-logging-windows
  2. https://learn.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-create
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#app_service_logs

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • CloudGuard Azure All Rules Ruleset