Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logging for Azure Storage Blob Service

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-019

Ensure that Azure Storage Blob service logging is enabled for read, write, and delete requests. The Storage Blob service provides scalable, cost-efficient objective storage in the Azure cloud. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account. These logs contain the following information about the individual requests: timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of the request/response.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Cost
optimisation

By default, Azure Storage Blob service logging is disabled for read, write, and delete operations. Once enabled, the storage logging will provide detailed information about successful and failed requests made to the blob storage service. This information can be used to monitor individual requests and to diagnose issues with your blob data.

Audit

To determine if the Azure Storage Blob service logging is enabled, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the blade navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to access the diagnostics settings.

06 On the Diagnostic settings (classic) page, make sure that the Status is set to On. If the Status setting is set to Off, the diagnostics are disabled, therefore the logging configuration is not compliant and the Audit process ends here. If the Status is set to On, select the Blob properties tab and check the Logging configuration section (regardless of its version, 1.0 or 2.0). If Read, Write, and Delete are not selected, the storage logging is not enabled for the Azure Storage Blob service within the selected storage account settings.

07 Repeat steps no. 4 – 6 for each storage account available in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the current Azure subscription: 

az storage account list
  --query '[*].name'

02 The command output should return the requested storage account names: 

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

03 Run storage logging show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as the identifier parameter and custom query filters to describe the blob logging settings available for the selected storage account: 

az storage logging show
  --services b
  --account-name abcd1234abcd1234abcd1234

04 The command output should return the requested configuration information: 

{
  "blob": {
    "write": false,
    "read": false,
    "delete": false,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0"
  }
}

Check the "write", "read", and "delete" attribute values returned by the storage logging show command output. If "write", "read" and "delete" attributes are all set to false, as shown in the example above, the storage logging is not enabled for the Azure Storage Blob service in the selected storage account settings.

05 Repeat steps no. 3 and 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable logging for Azure Storage Blob service (read, write, and delete requests), perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to reconfigure.

05 In the blade navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to access the diagnostics settings.

06 On the Diagnostic settings (classic) page, perform the following operations:

  1. Make sure that the Status is set to On to enable the feature.
  2. Select the Blob properties tab.
  3. Select the Read, Write, and Delete checkboxes to enable Azure Storage Blob logging for read, write, and delete requests.
  4. (Optional) Select the Delete data checkbox and set a retention period required to retain the storage logs based on your requirements.
  5. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each storage account available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage logging update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as the identifier parameter, to update the logging configuration settings available for the selected storage account in order to enable Azure Storage Blob logging for read, write, and delete requests. (Optional) Use the --retention parameter to set a retention period for your log data (the command does not produce an output): 

az storage logging update
  --account-name abcd1234abcd1234abcd1234
  --services b
  --log rwd
  --retention 90

02 Repeat step no. 1 for each storage account available within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 20, 2021

Related StorageAccounts rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Logging for Azure Storage Blob Service

Risk Level: Medium