Storage Account queue service logging should be enabled for read, write, and delete requests¶
Description¶
Storage account read, write, and delete logging for Storage Queues is not enabled by default. Logging should be enabled so that users can monitor queues for security and performance issues.
Remediation Steps¶
Azure Portal¶
Navigate to Storage Accounts.
Select the specific storage account. Note that this rule only applies to storage account types that support queues.
Click the Diagnostics settings (classic) blade from the Monitoring (classic) section.
Set the Status to On.
Select Queue properties.
Select Read, Write and Delete options under the Logging section to enable storage queue service logging.
Click Save.
Azure CLI¶
To enable queue service logging:
az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90
Azure Resource Manager¶
Ensure that there are 3 Microsoft.Insights/diagnosticSettings resources where
category
is set tostorageread
,storagewrite
, andstoragedelete
:
{
"properties": {
"logs": {
"category": "storageread",
"enabled": true
}
}
}
Example Configuration¶
{
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2021-05-01-preview",
"properties": {
"logs": {
"category": "storageread",
"enabled": true
}
}
# other required fields here
}