Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

Overview

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request for increased security or diagnostics. Requests are logged on a best-effort basis.

Impact

Enabling this setting can significantly impact the cost of the log analytics service and data storage used by logging more data per request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.

Default Value

Storage Analytics logging is not enabled by default for your storage account.

Additional Information

Due to their nature and intent, we cannot practically generalize detailed audit log requirements for every table. This recommendation may be applicable to storage account table services where security is paramount.

Remediation guidance

From Azure Portal

Open the storage account in the Azure Portal using the Open in Azure button
Click the Diagnostics settings under the Monitoring section in the left column.
Select the 'table' tab indented below the storage account.
Click '+ Add diagnostic setting'.
Under the Logging section, select the StorageRead, StorageWrite, and StorageDelete options to enable Storage Logging for the Table service.
Select a destination for your logs to be sent to.

From Azure CLI

Use the below command to enable the Storage Logging for Table service.

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services t --log rwd --retention 90

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Storage Accounts without Table Diagnostic Settings

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { isTableServicesDiagnosticsSettingsEnabled: false }
        {
          AND: [
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/tableServices"
                AND: [
                  { logs_SINGLE: { enabled: true, category: "StorageRead" } }
                  { logs_SINGLE: { enabled: true, category: "StorageWrite" } }
                  { logs_SINGLE: { enabled: true, category: "StorageDelete" } }
                ]
              }
            }
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/tableServices"
                logs_SOME: {
                  enabled: true
                  categoryGroup_IN: ["audit", "allLogs"]
                }
              }
            }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}