Storage Logging For Read Write And Delete Requests Disabled
- Query id: 43f6e60c-9cdb-4e77-864d-a66595d26518
- Query name: Storage Logging For Read Write And Delete Requests Disabled
- Platform: AzureResourceManager
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
Storage Logging should be enabled for read, write and delete methods
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": false
},
{
"category": "StorageWrite",
"enabled": false
},
{
"category": "StorageDelete",
"enabled": false
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
]
}
Postitive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": false
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
]
}
Postitive test num. 3 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]"
}
]
}
}
}
]
}
Postitive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": false
},
{
"category": "StorageWrite",
"enabled": false
},
{
"category": "StorageDelete",
"enabled": false
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Postitive test num. 5 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": false
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Postitive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]"
}
]
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": true
},
{
"category": "StorageWrite",
"enabled": true
},
{
"category": "StorageDelete",
"enabled": true
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
]
}
Negative test num. 2 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"settingName": {
"type": "string"
},
"storageSyncName": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2019-10-01",
"name": "nested",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"endpoints": {
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
},
"settingName": {
"value": "[parameters('settingName')]"
},
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageSyncName": {
"value": "[parameters('storageSyncName')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"endpoints": {
"type": "object"
},
"settingName": {
"type": "String"
},
"storageAccountName": {
"type": "String"
},
"storageSyncName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"variables": {
"hasqueue": "[contains(parameters('endpoints'),'queue')]"
},
"resources": [
{
"condition": "[variables('hasqueue')]",
"type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
"logs": [
{
"category": "StorageRead",
"enabled": true
},
{
"category": "StorageWrite",
"enabled": true
},
{
"category": "StorageDelete",
"enabled": true
}
],
"metrics": [
{
"category": "Transaction",
"enabled": true
}
]
}
}
]
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}