Skip to main content

๐Ÿ›ก๏ธ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Queue Logging is not enabled for Read, Write, and Delete requests๐ŸŸข
  • ID: /ce/ca/azure/storage/queue-logging-for-read-write-delete-requests
  • Tags:
  • Policy Type: BEST_PRACTICE
  • Policy Categories: RELIABILITY, SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-611eaa351

Descriptionโ€‹

Open File

Descriptionโ€‹

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Rationaleโ€‹

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Go to Storage Accounts.
  2. For each storage account, under Monitoring, click Diagnostics settings.
  3. Select the queue tab indented below the storage account.
  4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
  5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
  6. Select an appropriate destination.
  7. Click Save.

From Azure CLIโ€‹

Use the below command to enable the Storage Logging for Queue service:

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ h. audit logging and monitoring of access to information assets by all users;89no data
๐Ÿ’ผ CIS Azure v1.1.0 โ†’ ๐Ÿ’ผ 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests11no data
๐Ÿ’ผ CIS Azure v1.3.0 โ†’ ๐Ÿ’ผ 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests - Level 2 (Manual)11no data
๐Ÿ’ผ CIS Azure v1.4.0 โ†’ ๐Ÿ’ผ 3.3 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v1.5.0 โ†’ ๐Ÿ’ผ 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.0.0 โ†’ ๐Ÿ’ผ 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Logging and Monitoring Configuration65no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-2(4) Automated Audit Actions (M)(H)16no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)726no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-3(1) Additional Audit Information (M)(H)14no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62032no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-11 Audit Record Retention (L)(M)(H)1618no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)265no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)425no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-4 System Monitoring (L)(M)(H)145056no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-4(4) Inbound and Outbound Communications Traffic (M)(H)68no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-4(20) Privileged Users (H)4851no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-11 Audit Record Retention (L)(M)(H)18no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SI-4 System Monitoring (L)(M)(H)8no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-2(4) Automated Audit Actions (M)(H)16no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)26no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-3(1) Additional Audit Information (M)(H)14no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)232no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-11 Audit Record Retention (L)(M)(H)18no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)219no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SI-4 System Monitoring (L)(M)(H)710no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SI-4(4) Inbound and Outbound Communications Traffic (M)(H)8no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.12.4.1 Event logging1518no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.28 Collection of evidence1421no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.15 Logging1834no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1034no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-2: Detected events are analyzed to understand attack targets and methods1824no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-4: Impact of events is determined1314no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-5: Unauthorized mobile code is detected1112no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events67no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-2: Detection activities comply with all applicable requirements67no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-3: Detection processes are tested1314no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-4: Event detection information is communicated2933no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-5: Detection processes are continuously improved1316no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.RA-1: Asset vulnerabilities are identified and documented1316no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.IP-8: Effectiveness of protection technologies is shared67no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.AN-1: Notifications from detection systems are investigated1824no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.CO-2: Incidents are reported consistent with established criteria1922no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-02: Potentially adverse events are analyzed to better understand associated activities35no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-03: Information is correlated from multiple sources50no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-04: The estimated impact and scope of adverse events are understood14no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-06: External service provider activities and services are monitored to find potentially adverse events35no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained69no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties40no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities41no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.CO-02: Internal and external stakeholders are notified of incidents31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MA-02: Incident reports are triaged and validated25no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-2(4) Account Management _ Automated Audit Actions1416no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(9) Least Privilege _ Log Use of Privileged Functions1719no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-3(1) Content of Audit Records _ Additional Audit Information1314no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation44765no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control81725no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.1 Implement audit trails to link all access to system components to each individual user.47no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.2.1 All individual user accesses to cardholder data.414no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.2.4 Invalid logical access attempts.414no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 10.2.1.1 Audit logs capture all individual user access to cardholder data.14no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 10.2.1.4 Audit logs capture all invalid logical access attempts.14no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 10.2.1.1 Audit logs capture all individual user access to cardholder data.114no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 10.2.1.4 Audit logs capture all invalid logical access attempts.114no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC4.2-3 Monitors Corrective Action66no data