3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.

Rationale:

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.

Storage Analytics logging is not enabled by default for your storage account.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Console:

Go to Storage Accounts.

Select the specific Storage Account.

Click the Diagnostics settings (classic) blade from Monitoring (classic) section.

Set the Status to On, if set to Off.

Select Queue properties.

Select Read, Write and Delete options under the Logging section to enable Storage Logging for Queue service.

Using Azure Command Line Interface 2.0
Use the below command to enable the Storage Logging for Queue service.

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

See Also

https://workbench.cisecurity.org/files/3459