Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Overview

The Storage Queue service stores messages that any client accessing the storage account may read. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and diagnose service issues. Requests are logged on a best-effort basis.

Default Value

By default, storage account queue services are not logged.

Impact

Enabling this setting can significantly impact the cost of the log analytics service and data storage used by logging more data per request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.

Additional Information

Due to their nature and intent, we cannot practically generalize detailed audit log requirements for every queue. This recommendation may apply to storage account queue services where security is paramount.

References

Remediation guidance

From Azure Console

Go to Storage Accounts.
For each storage account, under Monitoring, click Diagnostics settings.
Select the queue tab indented below the storage account.
To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
Select an appropriate destination.
Click Save.

Azure CLI

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure storage accounts without queue service diagnostic settings logging

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { isQueueServicesDiagnosticsSettingsEnabled: false }
        {
          AND: [
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                AND: [
                  { logs_SINGLE: { enabled: true, category: "StorageRead" } }
                  { logs_SINGLE: { enabled: true, category: "StorageWrite" } }
                  { logs_SINGLE: { enabled: true, category: "StorageDelete" } }
                ]
              }
            }
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                logs_SOME: {
                  enabled: true
                  categoryGroup_IN: ["audit", "allLogs"]
                }
              }
            }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}