lacework-global-620
3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 2
Description
Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.
Rationale
Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best-effort basis.
Storage Analytics logging is not enabled by default for your storage account.
Impact
Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.
Audit
From Azure Portal
- From the default portal page select
Storage Accounts
. - Select the specific Storage Account.
- Click the
Diagnostics settings
under theMonitoring
section in the left column. - Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed.
- Ensure
Read
,Write
, andDelete
options are selected under theLogging section
and that they are sent to the correct destination.
From Azure CLI
Ensure the below command's output contains properties delete, read and write set to true.
az storage logging show --services t --account-name <storageAccountName>
Remediation
From Azure Portal
- From the default portal page select
Storage Accounts
. - Select the specific Storage Account.
- Click the
Diagnostics settings
under theMonitoring
section in the left column. - Select the 'table' tab indented below the storage account.
- Click '+ Add diagnostic setting'.
- Select
Read
,Write
andDelete
options under theLogging
section to enable Storage Logging for Table service. - Select a destination for your logs to be sent to.
From Azure CLI
Use the below command to enable the Storage Logging for Table service.
az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services t --log rwd --retention 90
References
https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging
https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources
Additional Information
We cannot practically generalize detailed audit log requirements for every table due to their nature and intent. This recommendation may be applicable to storage account table service where the security is paramount.