Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.
Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.LOG.15
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
StorageAccount should have blobServiceProperties.classicDiagnosticSettings.logging.read=true and blobServiceProperties.classicDiagnosticSettings.logging.write=true and blobServiceProperties.classicDiagnosticSettings.logging.delete=true
REMEDIATION
From Portal
- Go to Storage Accounts.
- Select the specific Storage Account.
- Click the Diagnostics settings (classic) blade from Monitoring (classic) section.
- Set the Status to On, if set to Off.
- Select Blob properties.
- Select Read, Write and Delete options under the Logging section to enable Storage Logging for Blob service.
- Click Save.
From TF
Set the 'delete', 'read' and 'write' argument to 'true':
resource "azurerm_storage_account" "example" {
..
blob_properties {
..
logging {
delete = true
read = true
write = true
}
..
}
From Command Line
Run
az storage logging update --account-name STORAGEACCOUNT NAME --account-key STORAGEACCOUNT KEY --services q --log rwd --retention 90
References
- https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#blob_properties
- https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest#az-storage-logging-update
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago