🛡️ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests🟢

• Contextual name: 🛡️ Blob Logging is not enabled for Read, Write, and Delete requests🟢
• ID: /ce/ca/azure/storage/blob-logging-for-read-write-delete-requests
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: RELIABILITY, SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Storage Account - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Logging for Azure Storage Blob Service
• Internal: dec-x-db1b7a1b

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-db1b7a1b	1

Description

Open File

Description

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best-effort basis.

Storage Analytics logging is not enabled by default for your storage account.

Impact

Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage Accounts.
2. For each storage account, under Monitoring, click Diagnostics settings.
3. Select the blob tab indented below the storage account.
4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
6. Select an appropriate destination.
7. Click Save.

From Azure CLI

Use the below command to enable the Storage Logging for Blob service:

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services b --log rwd --retention 90

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22		no data
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		8	9		no data
💼 CIS Azure v1.3.0 → 💼 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests - Level 2 (Manual)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 3.10 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	26		no data
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14		no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	20	32		no data
💼 FedRAMP High Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)		16	18		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65		no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		25		no data
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	50	56		no data
💼 FedRAMP High Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)		6	8		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51		no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			18		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			8		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			18		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		19		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		10		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)			8		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.4.1 Event logging		15	18		no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		14	21		no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		18	34		no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	34		no data
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		18	24		no data
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		18	38		no data
💼 NIST CSF v1.1 → 💼 DE.AE-4: Impact of events is determined		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events		20	26		no data
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected		11	12		no data
💼 NIST CSF v1.1 → 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events		6	7		no data
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		18	24		no data
💼 NIST CSF v1.1 → 💼 DE.DP-2: Detection activities comply with all applicable requirements		6	7		no data
💼 NIST CSF v1.1 → 💼 DE.DP-3: Detection processes are tested		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		29	33		no data
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		13	16		no data
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented		13	16		no data
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		15	19		no data
💼 NIST CSF v1.1 → 💼 PR.IP-8: Effectiveness of protection technologies is shared		6	7		no data
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		16	33		no data
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		18	24		no data
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria		19	22		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			35		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			14		no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33		no data
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			38		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			35		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			69		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			40		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			41		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			31		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			31		no data
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition			26		no data
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging			22		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	19		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	25		no data
💼 PCI DSS v3.2.1 → 💼 10.1 Implement audit trails to link all access to system components to each individual user.		4	7		no data
💼 PCI DSS v3.2.1 → 💼 10.2.1 All individual user accesses to cardholder data.		4	14		no data
💼 PCI DSS v3.2.1 → 💼 10.2.4 Invalid logical access attempts.		4	14		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.			14		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.			14		no data
💼 PCI DSS v4.0 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.		1	14		no data
💼 PCI DSS v4.0 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.		1	14		no data
💼 SOC 2 → 💼 CC4.2-3 Monitors Corrective Action		6	6		no data