π‘οΈ Azure Diagnostic Setting is not enabled for all services that support itπ’βͺ
- Contextual name: π‘οΈ Diagnostic Setting is not enabled for all services that support itπ’βͺ
- ID:
/ce/ca/azure/monitor/diagnostic-setting-for-all-services - Tags:
- βͺ Impossible policy
- π’ Policy with categories
- π’ Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY,RELIABILITY
Similar Policiesβ
- Cloud Conformity: Enable Diagnostic Logs for the Supported Resources
Descriptionβ
Descriptionβ
Resource Logs capture activity in the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations performed within a resource itself, for example, reading or updating a secret in Key Vault. Currently, 95 Azure resources support Azure Monitor (see the References section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
In many environments, back-end services are not configured to log and store Resource Logs for certain activities or for a sufficient length of time. It is crucial that monitoring is configured to log all relevant activities and retain those logs for an appropriate duration. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining whether resource logging should be enabled for specific resources depends on the context and requirements of each organization and environment.
... see more
Remediationβ
Remediationβ
Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or an equivalent third-party system. Logs should be kept in readily accessible storage for a minimum of one year, and then moved to inexpensive cold storage for as long as necessary. If retention policies are set but storing logs in a Storage Account is disabled, for example, if only Event Hubs or Log Analytics options are selected, the retention policies have no effect. Enable all monitoring at first, then move data to cold storage more aggressively if the volume becomes a cost concern.
From Azure Portalβ
The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:
- Go to the
resource.- Click on
Diagnostic settings.- In the blade that appears, click
Add diagnostic setting.- Configure the diagnostic settings.
- Click on
Save.From Azure CLIβ
For each
resource, run the following making sure to use aresourceappropriate JSON encodedcategoryfor the--logsoption:... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ CIS Azure v5.0.0 β πΌ 6.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 75 | no data |