Ensure storage logging for queue service has read, write, and delete requests enabled

Error: Storage logging for queue service does not have read, write, and delete requests enabled

Bridgecrew Policy ID: BC_AZR_LOGGING_4
Checkov Check ID: CKV_AZURE_33
Severity: MEDIUM

Storage logging for queue service does not have read, write, and delete requests enabled

Description

The Azure Queue Storage service stores messages that may be read by any client with access to the storage account. A queue may contain an unlimited number of messages, each of which can be up to 64KB in size when using version 2011-08-18 or newer.

Storage Logging takes place server-side recording details in the storage account for both successful and failed requests. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: timing information, for example start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of request and response messages.

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Storage Accounts.
  3. Select the specific Storage Account.
  4. From the Monitoring (classic) section, select the Diagnostics logs (classic) blade.
  5. Set the Status to On.
  6. Select Queue properties.
  7. Navigate to the Logging section to enable Storage Logging for Queue service.
  8. Select Read, Write and Delete options.

CLI Command

To enable the Storage Logging for Queue service, use the following command:

--account-name <storageAccountName> 
--account-key <storageAccountKey> 
--services q 
--log rwd 
--retention 90

Fix - Buildtime

Terraform

  • Resource: azurerm_storage_account
  • Argument: logging + hour_metrics + minute_metrics
resource "azurerm_storage_account" "example" {
    name                     = "example"
    resource_group_name      = data.azurerm_resource_group.example.name
    location                 = data.azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "GRS"
    queue_properties  {
+   logging {
        delete                = true
        read                  = true
        write                 = true
        version               = "1.0"
        retention_policy_days = 10
    }
  }
}

The logging field should be enough to enable logging. As Terraform apply might fail, it is recommended to also configure the hour_metrics and minute_metrics fields.
To do this, insert the following code in the queue_properties section of the code above.

+   hour_metrics {
        enabled               = true
        include_apis          = true
        version               = "1.0"
        retention_policy_days = 10
    }
+   minute_metrics {
        enabled               = true
        include_apis          = true
        version               = "1.0"
        retention_policy_days = 10
    }