Description:

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues.


Rationale:

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.


Impact:

Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages which helps in troubleshooting the issues.


Default Value:

Storage Analytics logging is not enabled by default for your storage account.


Audit:

  1. Sign in to your Azure account.

  2. Go to Storage Accounts.

  3. Select the specific Storage Account.

  4. Click the Diagnostics settings blade from Monitoring section.

  5. Ensure the Status is set to On

  6. Select Queue properties.

  7. Check the Read Write Delete options are selected under the Logging section (In this case it was not selected and the logging was disabled as default).

Via Azure CLI:

az storage logging show --services q --account-name <storageAccountName>


Remediation:

Pre-requisites:

  1. Azure account

  2. Azure storage account

Implementation Steps:

  1. Go to Storage Accounts.

  2. Select the specific Storage Account.

  3. Click the Diagnostics settings blade from Monitoring(Classic) section.

  4. Ensure the Status is set to On,

  5. Select Queue properties.

  6. Ensure that Read Write Delete options are selected under the Logging section

Via Azure CLI: command to enable the Storage Logging for Queue service

az storage logging update --account-name <storageAccountName> --account-key

<storageAccountKey> --services q --log rwd --retention 90

Backout Plan:

  1. Go to Storage Accounts.

  2. Select the specific Storage Account.

  3. Click the Diagnostics settings blade from Monitoring section.

  4. Ensure the Status is set to On,

  5. Select Queue properties.

  6. Uncheck the Read Write Delete options under the Logging section to disable the logging

References: