Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logging for Azure Storage Queue Service

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (should be achieved)
Rule ID: StorageAccounts-003

Ensure that Microsoft Azure Storage Queue service logging is enabled for read, write and delete requests. The Storage Queue cloud service stores messages that can be read by any user that has access to your storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size. The Azure Storage Queue service logging records details for both successful and failed requests made to the queues, as well as end-to-end latency, server latency, and authentication information.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure Storage Queue logs contain detailed information about successful and failed requests made to your storage queues for read, write and delete operations. This information can be used to monitor individual requests and to diagnose issues with the Storage Queue service within your Microsoft Azure account.


Audit

To determine if your storage account access keys are periodically regenerated (by default, every 90 days), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to examine.

04 In the navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to verify the Storage Analytics Logging configuration status.

05 On the Diagnostic settings (classic) page, make sure that the Status is set to On, then select the Queue properties tab. If Status setting is set to Off, the diagnostics are disabled, therefore the configuration is not compliant and Audit process ends here. If Status is set to On, check the Logging configuration section (regardless of its version, 1.0 or 2.0). If Read, Write and Delete options are not selected, the storage logging is not enabled for the Azure Storage Queue service, in the selected storage account.

06 Repeat steps no. 3 – 5 for each storage account available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list
	--query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

03 Run storage logging show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the logging settings for the Azure Storage Queue service, within the selected storage account:

az storage logging show
	--services q
	--account-name abcd1234abcd1234abcd1234

04 The command output should return the requested configuration information:

{
  "queue": {
    "delete": false,
    "read": false,
    "write": false,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0"
  }
}

Check the "delete", "read" and "write" attribute values returned by the command output. If "delete", "read" and "write" configuration attributes are all set to false, as shown in the example above, the detailed storage logging is not enabled for the Azure Storage Queue service within the selected storage account.

05 Repeat step no. 3 and 4 for each storage account available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable detailed storage logging for read, write and delete requests within Azure Storage Queue service settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to reconfigure.

04 In the navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to access the Storage Analytics Logging configuration details.

05 On the Diagnostic settings (classic) page, make sure that the Status is set to On, then select the Queue properties tab.

06 In the Logging configuration section, perform the following:

  1. Select Read, Write and Delete options to enable detailed storage logging for the Azure Storage Queue service, in the selected storage account.
  2. In the days box, set a retention period required to retain the storage logs, based on your requirements.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 3 – 7 for each storage account available in the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage logging update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right account name) to update the storage logging configuration settings in order to enable detailed logging for read, write and delete requests, for the Azure Storage Queue service, in the selected storage account (the command does not produce an output):

az storage logging update
	--account-name abcd1234abcd1234abcd1234
	--services q
	--log rwd
	--retention 90

02 Repeat step no. 1 for each storage account available in the current Azure subscription.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 7, 2019