Storage Account queue service logging should be enabled for read, write, and delete requests

Description

Storage account read, write, and delete logging for Storage Queues is not enabled by default. Logging should be enabled so that users can monitor queues for security and performance issues.

Remediation Steps

Azure Portal

  • Navigate to Storage Accounts.

  • Select the specific storage account. Note that this rule only applies to storage account types that support queues.

  • Click the Diagnostics settings (classic) blade from the Monitoring (classic) section.

  • Set the Status to On.

  • Select Queue properties.

  • Select Read, Write and Delete options under the Logging section to enable storage queue service logging.

  • Click Save.

Azure CLI

  • To enable queue service logging:

    • az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

Azure Resource Manager

{
  "properties": {
    "logs": {
      "category": "storageread",
      "enabled": true
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
  "apiVersion": "2021-05-01-preview",
  "properties": {
    "logs": {
      "category": "storageread",
      "enabled": true
    }
  }
  # other required fields here
}