Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.LOG.14
Covered by Spectral: No
Category: Storage


StorageAccount should have queueServiceProperties.classicDiagnosticSettings.logging.read=true and queueServiceProperties.classicDiagnosticSettings.logging.write=true and queueServiceProperties.classicDiagnosticSettings.logging.delete=true


From Portal

  1. Go to Storage Accounts.
  2. Select the specific Storage Account.
  3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section.
  4. Set the Status to On, if set to Off.
  5. Select Queue properties.
  6. Select Read, Write and Delete options under the Logging section to enable Storage Logging for Queue service.
  7. Click Save.

From TF
Set the 'delete', 'read' and 'write' argument to 'true':

resource "azurerm_storage_account" "example" {
	queue_properties  {
		logging {
			delete = true
			read = true
			write = true

From Command Line

az storage logging update --account-name STORAGEACCOUNT NAME --account-key STORAGEACCOUNT KEY --services q --log rwd --retention 90


  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#queue_properties
  3. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest#az-storage-logging-update

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset