Ensure read, write and delete request logging is enabled for queue service in Azure Storage Account

MEDIUM

Description

Azure Storage Account logging has not been enabled for Queue service for read, write and delete requests, this may make audit challenging.

Remediation

In Azure Console -

Open the Azure Portal and go to Storage Accounts.
Select the Storage Account that you wish to edit.
Under Monitoring (classic) select Diagnostic Settings.
For Blob, Table, Queue, check the boxes for Read/Write/Delete under logging.

In Terraform -

In the azurerm_storage_account resource, create a queue_properties block.
Create a logging block inside queue_properties and configure as needed.

References:
https://learn.microsoft.com/en-us/dotnet/azure/sdk/logging?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#queue_properties

Policy Details

Rule Reference ID: AC_AZURE_0302

CSP: Azure

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: azurerm_storage_account

Resource Category: Storage

Resource Type: Storage Accounts

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF