π Azure Diagnostic Setting is not enabled for all services that support it π’
- Contextual name: π Diagnostic Setting is not enabled for all services that support it π’
- ID:
/ce/ca/azure/monitor/diagnostic-setting-for-all-services - Located in: π Azure Monitor
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITYRELIABILITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Rationaleβ
A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.
... see more
Remediationβ
Remediationβ
Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern.
From Azure Portalβ
The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:
- Go to the
resource.- Click on
Diagnostic settings.- In the blade that appears, click
Add diagnostic setting.- Configure the diagnostic settings.
- Click on
Save.From Azure CLIβ
For each
resource, run the following making sure to use aresourceappropriate JSON encodedcategoryfor the--logsoption:... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Level 1 (Manual) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | 1 | |||
| πΌ CIS Azure v4.0.0 β πΌ 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 59 |