Azure Storage Account Logging For Queues Is Disabled

Storage Logging records details of requests (read, write, and delete operations) against your Azure queues. The logs include additional information such as: - Timing and server latency. - Success or failure, and HTTP status code. - Authentication details This policy identifies Azure storage accounts that do not have logging enabled for queues. As a best practice, enable logging for read, write, and delete request types on queues.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure storage account logging for queues is disabled.
JSON Query:
$.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.* size > 0 and ($.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.delete anyFalse or $.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.read anyFalse or $.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.write anyFalse )
Recommended solution to ensure that storage account logging for queues is enabled.
Ensure that Azure Storage Account logging for queues is enabled. Please make sure all the attributes for "logging" under "queue_properties" is set to true.
For example:
"azurerm_storage_account": [ { "<storage_account_name>": [ { "name": "storageaccountname", "queue_properties": [ { "logging": [ { "delete": true, "read": true, "version": true, "write": true } ] } ] } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Select 'Storage Accounts'.
  3. Select the storage account you need to modify.
  4. Select 'Diagnostic Logs (classic)'.
  5. Set the 'status' to 'On'.
  6. Select 'Queue properties' tab.
  7. Enable 'Logging' for the three operations - 'Read', 'Write', 'Delete'.
  8. (Optionally) Select 'Delete data', and specify the number of days for which to retain data.


There are 4 standards that are applicable to this policy:
  • CIS v1.1 (Azure)
  • MITRE ATT&CK [Beta]
  • CCPA 2018

Recommended For You