Skip to main content

lacework-global-620

3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Manual)

note

This rule has been changed to manual, see Permanently Manual Rules for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best-effort basis.

Storage Analytics logging is not enabled by default for your storage account.

Impact

Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.

Audit

From Azure Portal

  1. From the default portal page select Storage Accounts.
  2. Select the specific Storage Account.
  3. Click the Diagnostics settings under the Monitoring section in the left column.
  4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed.
  5. Ensure Read, Write, and Delete options are selected under the Logging section and that they are sent to the correct destination.

From Azure CLI

Ensure the below command's output contains properties delete, read and write set to true.

az storage logging show --services t --account-name <storageAccountName>

Remediation

From Azure Portal

  1. From the default portal page select Storage Accounts.
  2. Select the specific Storage Account.
  3. Click the Diagnostics settings under the Monitoring section in the left column.
  4. Select the 'table' tab indented below the storage account.
  5. Click '+ Add diagnostic setting'.
  6. Select Read, Write and Delete options under the Logging section to enable Storage Logging for Table service.
  7. Select a destination for your logs to be sent to.

From Azure CLI

Use the below command to enable the Storage Logging for Table service.

az storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services t --log rwd --retention 90

References

https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging
https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources

Additional Information

We cannot practically generalize detailed audit log requirements for every table due to their nature and intent. This recommendation may be applicable to storage account table service where the security is paramount.