Storage Logging For Read Write And Delete Requests Disabled

  • Query id: 43f6e60c-9cdb-4e77-864d-a66595d26518
  • Query name: Storage Logging For Read Write And Delete Requests Disabled
  • Platform: AzureResourceManager
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

Storage Logging should be enabled for read, write and delete methods
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "settingName": {
      "type": "string"
    },
    "storageSyncName": {
      "type": "string"
    },
    "workspaceId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "apiVersion": "2019-10-01",
      "name": "nested",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "endpoints": {
            "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
          },
          "settingName": {
            "value": "[parameters('settingName')]"
          },
          "storageAccountName": {
            "value": "[parameters('storageAccountName')]"
          },
          "storageSyncName": {
            "value": "[parameters('storageSyncName')]"
          },
          "workspaceId": {
            "value": "[parameters('workspaceId')]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "endpoints": {
              "type": "object"
            },
            "settingName": {
              "type": "String"
            },
            "storageAccountName": {
              "type": "String"
            },
            "storageSyncName": {
              "type": "String"
            },
            "workspaceId": {
              "type": "String"
            }
          },
          "variables": {
            "hasqueue": "[contains(parameters('endpoints'),'queue')]"
          },
          "resources": [
            {
              "condition": "[variables('hasqueue')]",
              "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
              "apiVersion": "2017-05-01-preview",
              "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
              "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                "logs": [
                  {
                    "category": "StorageRead",
                    "enabled": false
                  },
                  {
                    "category": "StorageWrite",
                    "enabled": false
                  },
                  {
                    "category": "StorageDelete",
                    "enabled": false
                  }
                ],
                "metrics": [
                  {
                    "category": "Transaction",
                    "enabled": true
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}
Postitive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "settingName": {
      "type": "string"
    },
    "storageSyncName": {
      "type": "string"
    },
    "workspaceId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "apiVersion": "2019-10-01",
      "name": "nested",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "endpoints": {
            "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
          },
          "settingName": {
            "value": "[parameters('settingName')]"
          },
          "storageAccountName": {
            "value": "[parameters('storageAccountName')]"
          },
          "storageSyncName": {
            "value": "[parameters('storageSyncName')]"
          },
          "workspaceId": {
            "value": "[parameters('workspaceId')]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "endpoints": {
              "type": "object"
            },
            "settingName": {
              "type": "String"
            },
            "storageAccountName": {
              "type": "String"
            },
            "storageSyncName": {
              "type": "String"
            },
            "workspaceId": {
              "type": "String"
            }
          },
          "variables": {
            "hasqueue": "[contains(parameters('endpoints'),'queue')]"
          },
          "resources": [
            {
              "condition": "[variables('hasqueue')]",
              "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
              "apiVersion": "2017-05-01-preview",
              "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
              "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                "logs": [
                  {
                    "category": "StorageRead",
                    "enabled": false
                  }
                ],
                "metrics": [
                  {
                    "category": "Transaction",
                    "enabled": true
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}
Postitive test num. 3 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "settingName": {
      "type": "string"
    },
    "storageSyncName": {
      "type": "string"
    },
    "workspaceId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "apiVersion": "2019-10-01",
      "name": "nested",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "endpoints": {
            "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
          },
          "settingName": {
            "value": "[parameters('settingName')]"
          },
          "storageAccountName": {
            "value": "[parameters('storageAccountName')]"
          },
          "storageSyncName": {
            "value": "[parameters('storageSyncName')]"
          },
          "workspaceId": {
            "value": "[parameters('workspaceId')]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "endpoints": {
              "type": "object"
            },
            "settingName": {
              "type": "String"
            },
            "storageAccountName": {
              "type": "String"
            }
          },
          "variables": {
            "hasqueue": "[contains(parameters('endpoints'),'queue')]"
          },
          "resources": [
            {
              "condition": "[variables('hasqueue')]",
              "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
              "apiVersion": "2017-05-01-preview",
              "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]"
            }
          ]
        }
      }
    }
  ]
}

Postitive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string"
        },
        "settingName": {
          "type": "string"
        },
        "storageSyncName": {
          "type": "string"
        },
        "workspaceId": {
          "type": "string"
        }
      },
      "resources": [
        {
          "apiVersion": "2019-10-01",
          "name": "nested",
          "type": "Microsoft.Resources/deployments",
          "properties": {
            "mode": "Incremental",
            "expressionEvaluationOptions": {
              "scope": "inner"
            },
            "parameters": {
              "endpoints": {
                "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
              },
              "settingName": {
                "value": "[parameters('settingName')]"
              },
              "storageAccountName": {
                "value": "[parameters('storageAccountName')]"
              },
              "storageSyncName": {
                "value": "[parameters('storageSyncName')]"
              },
              "workspaceId": {
                "value": "[parameters('workspaceId')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "endpoints": {
                  "type": "object"
                },
                "settingName": {
                  "type": "String"
                },
                "storageAccountName": {
                  "type": "String"
                },
                "storageSyncName": {
                  "type": "String"
                },
                "workspaceId": {
                  "type": "String"
                }
              },
              "variables": {
                "hasqueue": "[contains(parameters('endpoints'),'queue')]"
              },
              "resources": [
                {
                  "condition": "[variables('hasqueue')]",
                  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                    "logs": [
                      {
                        "category": "StorageRead",
                        "enabled": false
                      },
                      {
                        "category": "StorageWrite",
                        "enabled": false
                      },
                      {
                        "category": "StorageDelete",
                        "enabled": false
                      }
                    ],
                    "metrics": [
                      {
                        "category": "Transaction",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Postitive test num. 5 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string"
        },
        "settingName": {
          "type": "string"
        },
        "storageSyncName": {
          "type": "string"
        },
        "workspaceId": {
          "type": "string"
        }
      },
      "resources": [
        {
          "apiVersion": "2019-10-01",
          "name": "nested",
          "type": "Microsoft.Resources/deployments",
          "properties": {
            "mode": "Incremental",
            "expressionEvaluationOptions": {
              "scope": "inner"
            },
            "parameters": {
              "endpoints": {
                "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
              },
              "settingName": {
                "value": "[parameters('settingName')]"
              },
              "storageAccountName": {
                "value": "[parameters('storageAccountName')]"
              },
              "storageSyncName": {
                "value": "[parameters('storageSyncName')]"
              },
              "workspaceId": {
                "value": "[parameters('workspaceId')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "endpoints": {
                  "type": "object"
                },
                "settingName": {
                  "type": "String"
                },
                "storageAccountName": {
                  "type": "String"
                },
                "storageSyncName": {
                  "type": "String"
                },
                "workspaceId": {
                  "type": "String"
                }
              },
              "variables": {
                "hasqueue": "[contains(parameters('endpoints'),'queue')]"
              },
              "resources": [
                {
                  "condition": "[variables('hasqueue')]",
                  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                    "logs": [
                      {
                        "category": "StorageRead",
                        "enabled": false
                      }
                    ],
                    "metrics": [
                      {
                        "category": "Transaction",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Postitive test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string"
        },
        "settingName": {
          "type": "string"
        },
        "storageSyncName": {
          "type": "string"
        },
        "workspaceId": {
          "type": "string"
        }
      },
      "resources": [
        {
          "apiVersion": "2019-10-01",
          "name": "nested",
          "type": "Microsoft.Resources/deployments",
          "properties": {
            "mode": "Incremental",
            "expressionEvaluationOptions": {
              "scope": "inner"
            },
            "parameters": {
              "endpoints": {
                "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
              },
              "settingName": {
                "value": "[parameters('settingName')]"
              },
              "storageAccountName": {
                "value": "[parameters('storageAccountName')]"
              },
              "storageSyncName": {
                "value": "[parameters('storageSyncName')]"
              },
              "workspaceId": {
                "value": "[parameters('workspaceId')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "endpoints": {
                  "type": "object"
                },
                "settingName": {
                  "type": "String"
                },
                "storageAccountName": {
                  "type": "String"
                }
              },
              "variables": {
                "hasqueue": "[contains(parameters('endpoints'),'queue')]"
              },
              "resources": [
                {
                  "condition": "[variables('hasqueue')]",
                  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]"
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "settingName": {
      "type": "string"
    },
    "storageSyncName": {
      "type": "string"
    },
    "workspaceId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "apiVersion": "2019-10-01",
      "name": "nested",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "endpoints": {
            "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
          },
          "settingName": {
            "value": "[parameters('settingName')]"
          },
          "storageAccountName": {
            "value": "[parameters('storageAccountName')]"
          },
          "storageSyncName": {
            "value": "[parameters('storageSyncName')]"
          },
          "workspaceId": {
            "value": "[parameters('workspaceId')]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "endpoints": {
              "type": "object"
            },
            "settingName": {
              "type": "String"
            },
            "storageAccountName": {
              "type": "String"
            },
            "storageSyncName": {
              "type": "String"
            },
            "workspaceId": {
              "type": "String"
            }
          },
          "variables": {
            "hasqueue": "[contains(parameters('endpoints'),'queue')]"
          },
          "resources": [
            {
              "condition": "[variables('hasqueue')]",
              "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
              "apiVersion": "2017-05-01-preview",
              "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
              "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                "logs": [
                  {
                    "category": "StorageRead",
                    "enabled": true
                  },
                  {
                    "category": "StorageWrite",
                    "enabled": true
                  },
                  {
                    "category": "StorageDelete",
                    "enabled": true
                  }
                ],
                "metrics": [
                  {
                    "category": "Transaction",
                    "enabled": true
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string"
        },
        "settingName": {
          "type": "string"
        },
        "storageSyncName": {
          "type": "string"
        },
        "workspaceId": {
          "type": "string"
        }
      },
      "resources": [
        {
          "apiVersion": "2019-10-01",
          "name": "nested",
          "type": "Microsoft.Resources/deployments",
          "properties": {
            "mode": "Incremental",
            "expressionEvaluationOptions": {
              "scope": "inner"
            },
            "parameters": {
              "endpoints": {
                "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]"
              },
              "settingName": {
                "value": "[parameters('settingName')]"
              },
              "storageAccountName": {
                "value": "[parameters('storageAccountName')]"
              },
              "storageSyncName": {
                "value": "[parameters('storageSyncName')]"
              },
              "workspaceId": {
                "value": "[parameters('workspaceId')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "endpoints": {
                  "type": "object"
                },
                "settingName": {
                  "type": "String"
                },
                "storageAccountName": {
                  "type": "String"
                },
                "storageSyncName": {
                  "type": "String"
                },
                "workspaceId": {
                  "type": "String"
                }
              },
              "variables": {
                "hasqueue": "[contains(parameters('endpoints'),'queue')]"
              },
              "resources": [
                {
                  "condition": "[variables('hasqueue')]",
                  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]",
                    "logs": [
                      {
                        "category": "StorageRead",
                        "enabled": true
                      },
                      {
                        "category": "StorageWrite",
                        "enabled": true
                      },
                      {
                        "category": "StorageDelete",
                        "enabled": true
                      }
                    ],
                    "metrics": [
                      {
                        "category": "Transaction",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}