Cyscale
Back to controls

Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

The Storage Queue service stores messages that any client accessing the storage account may read. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Category

Controls

Low

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

The Storage Queue service stores messages that any client accessing the storage account may read. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and diagnose service issues. Requests are logged on a best-effort basis.

Default Value

By default, storage account queue services are not logged.

Impact

Enabling this setting can significantly impact the cost of the log analytics service and data storage used by logging more data per request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.

Additional Information

Due to their nature and intent, we cannot practically generalize detailed audit log requirements for every queue. This recommendation may apply to storage account queue services where security is paramount.

References

  1. https://learn.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging
  2. https://learn.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest
  3. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources
  4. https://learn.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal

Remediation guidance

From Azure Console

  1. Go to Storage Accounts.
  2. For each storage account, under Monitoring, click Diagnostics settings.
  3. Select the queue tab indented below the storage account.
  4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
  5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
  6. Select an appropriate destination.
  7. Click Save.

Azure CLI

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services q --log rwd --retention 90

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure storage accounts without queue service diagnostic settings logging

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { isQueueServicesDiagnosticsSettingsEnabled: false }
        {
          AND: [
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                AND: [
                  { logs_SINGLE: { enabled: true, category: "StorageRead" } }
                  { logs_SINGLE: { enabled: true, category: "StorageWrite" } }
                  { logs_SINGLE: { enabled: true, category: "StorageDelete" } }
                ]
              }
            }
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                logs_SOME: {
                  enabled: true
                  categoryGroup_IN: ["audit", "allLogs"]
                }
              }
            }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon