Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logging for Azure Storage Table Service

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-020

Ensure that Azure Storage Table service logging is enabled for read, write, and delete requests. The Azure Storage Table service stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account. These logs allow you to see the details of read, write, and delete operations against the tables. The storage logging contains the following information about individual requests: time-based information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the sizes of the request and response messages.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Cost
optimisation

By default, Azure Storage Table service logging is disabled for read, write, and delete operations. After this type of logging is enabled, Microsoft Azure will provide detailed information about successful and failed requests made to the Azure Storage Table service. This information can be used to monitor individual requests and to diagnose issues with your table data.


Audit

To determine if Azure Storage Table service logging is enabled, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the blade navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to access the Diagnostics feature settings.

06 On the Diagnostic settings (classic) page, make sure that the Status is set to On. If the Status setting is set to Off, the diagnostics are disabled, therefore the logging configuration is not compliant and the Audit process ends here. If the Status is set to On, select the Table properties tab check the Logging configuration section (regardless of its version). If Read, Write, and Delete are not selected, the storage logging is not enabled for the Azure Storage Table service within the selected storage account settings.

07 Repeat steps no. 4 – 6 for each storage account available in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the current Azure subscription:

az storage account list
  --query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

03 Run storage logging show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as the identifier parameter and custom query filters to describe the table logging settings available for the selected storage account:

az storage logging show
  --services t
  --account-name abcd1234abcd1234abcd1234

04 The command output should return the requested configuration information:

{
  "table": {
    "write": false,
    "read": false,
    "delete": false,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0"
  }
}

Check the "write", "read", and "delete" attribute values returned by the storage logging show command output. If "write", "read" and "delete" attributes are all set to false, as shown in the output example above, the storage logging is not enabled for the Azure Storage Table service in the selected storage account settings.

05 Repeat steps no. 3 and 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable logging for Azure Storage Table service (read, write, and delete requests), perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to reconfigure.

05 In the blade navigation panel, under Monitoring (classic), choose Diagnostic settings (classic) to access the diagnostics settings.

06 On the Diagnostic settings (classic) page, perform the following actions:

  1. Make sure that the Status is set to On to enable the feature.
  2. Select the Table properties tab.
  3. Select the Read, Write, and Delete checkboxes to enable Azure Storage Table logging for read, write, and delete requests.
  4. (Optional) Select the Delete data checkbox and set a retention period required to retain the log data based on your requirements.
  5. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each storage account available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage logging update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as the identifier parameter, to update the logging configuration settings available for the selected storage account in order to enable Azure Storage Table logging for read, write, and delete requests. (Optional) Use the --retention parameter to set a retention period for your log data (the command does not produce an output):

az storage logging update
  --account-name abcd1234abcd1234abcd1234
  --services t
  --log rwd
  --retention 60

02 Repeat step no. 1 for each storage account available within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 20, 2021