Microsoft AzureOverview
The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.
Rationale
Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request for increased security or diagnostics. Requests are logged on a best-effort basis.
Storage Analytics logging is not enabled by default for your storage account.
Impact
Enabling this setting can significantly impact the cost of the log analytics service and data storage used by logging more data per request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.
Default Value
Storage Analytics logging is not enabled by default for your storage account.
Additional Information
Due to their nature and intent, we cannot practically generalize detailed audit log requirements for every blob. This recommendation may be applicable to storage account blob service, where security is paramount.
Remediation guidance
From Azure Portal
- Open the storage account in the Azure Portal using the
Open in Azurebutton - Click the
Diagnostics settingsunder theMonitoringsection in the left column. - Select the 'blob' tab indented below the storage account.
- Click '+ Add diagnostic setting'.
- Under the
Loggingsection, select theStorageRead,StorageWrite, andStorageDeleteoptions to enable Storage Logging for the Blob service. - Select a destination for your logs to be sent to.
From Azure CLI
Use the below command to enable the Storage Logging for Blob service.
az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services b --log rwd --retention 90
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}
