terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: storage-queue-services-logging
    message: Storage Analytics logs detailed information about successful and failed
      requests to a storage service. This information can be used to monitor
      individual requests and to diagnose issues with a storage service.
      Requests are logged on a best-effort basis.
    patterns:
      - pattern-either:
          - pattern-inside: |
              resource "azurerm_storage_account" "..." {
                ...
                    queue_properties  {
                      ...
                    }
                ...
              }
          - pattern-inside: |
              resource "azurerm_storage_account" "..." {
                ...
              }
      - pattern-not-inside: |
          resource "azurerm_storage_account" "..." {
            ...
                  queue_properties  {
                    ...
                    logging {
                      ...
                    }
                    ...
                  }
            ...
          }
    metadata:
      cwe:
        - "CWE-778: Insufficient Logging"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging
        - https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet
      owasp:
        - A10:2017 - Insufficient Logging & Monitoring
        - A09:2021 - Security Logging and Monitoring Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insufficient Logging
    languages:
      - hcl
    severity: WARNING

Examples

storage-queue-services-logging.tf

resource "azurerm_storage_account" "good_example" {
    name                     = "example"
    resource_group_name      = data.azurerm_resource_group.example.name
    location                 = data.azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "GRS"
    queue_properties  {
    logging {
        delete                = true
        read                  = true
        write                 = true
        version               = "1.0"
        retention_policy_days = 10
    }
  }
}

# ruleid: storage-queue-services-logging
resource "azurerm_storage_account" "bad_example" {
    name                     = "example"
    resource_group_name      = data.azurerm_resource_group.example.name
    location                 = data.azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "GRS"
    queue_properties  {
  }
}