Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.LOG.15
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should have blobServiceProperties.classicDiagnosticSettings.logging.read=true and blobServiceProperties.classicDiagnosticSettings.logging.write=true and blobServiceProperties.classicDiagnosticSettings.logging.delete=true

REMEDIATION

From Portal

  1. Go to Storage Accounts.
  2. Select the specific Storage Account.
  3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section.
  4. Set the Status to On, if set to Off.
  5. Select Blob properties.
  6. Select Read, Write and Delete options under the Logging section to enable Storage Logging for Blob service.
  7. Click Save.

From TF
Set the 'delete', 'read' and 'write' argument to 'true':

resource "azurerm_storage_account" "example" {
	..
	blob_properties  {
		..
		logging {
			delete = true
			read = true
			write = true
		}
		..
		
	}

From Command Line
Run

az storage logging update --account-name STORAGEACCOUNT NAME --account-key STORAGEACCOUNT KEY --services q --log rwd --retention 90

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties
  3. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest#az-storage-logging-update

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset