When using Queue Services for a storage account, logging should be enabled.
Default Severity: medium
Explanation
Storage Analytics logs detailed information about successful and failed requests to a storage service.
This information can be used to monitor individual requests and to diagnose issues with a storage service.
Requests are logged on a best-effort basis.
Possible Impact
Logging provides valuable information about access and usage
Suggested Resolution
Enable logging for Queue Services
Insecure Example
The following example will fail the azure-storage-queue-services-logging-enabled check.
resource "azurerm_storage_account" "bad_example" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
queue_properties {
}
}
resource "azurerm_storage_queue" "bad_example" {
name = "my-queue"
storage_account_name = azurerm_storage_account.bad_example.name
}
Secure Example
The following example will pass the azure-storage-queue-services-logging-enabled check.
resource "azurerm_storage_account" "good_example" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
queue_properties {
logging {
delete = true
read = true
write = true
version = "1.0"
retention_policy_days = 10
}
}
}