search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.17k stars 1.12k forks source link

CKV2_AZURE_21 doesn't actually add StorageBlobLogs to the Log Analytics workspace #6844

Open jarmbruster74 opened 1 week ago

jarmbruster74 commented 1 week ago

Describe the issue CKV2_AZURE_21 - Azure storage account logging setting for blobs is disabled Azure storage account logging is not configured using Storage Insights, but should use Diagnostic Settings. Details are spelled out in this previous comment - https://github.com/bridgecrewio/checkov/issues/5407#issuecomment-1739682893

Examples This code passes the check, but doesn't actually create StorageBlobLogs in the Log Analytics Workspace or send any events to it if it already exists.

{ "resource "azurerm_resource_group" "resource_group_ok" { name = "example-resources" location = "West Europe" }

resource "azurerm_log_analytics_workspace" "analytics_workspace_ok" { name = "exampleworkspace" location = azurerm_resource_group.resource_group_ok.location resource_group_name = azurerm_resource_group.resource_group_ok.name sku = "PerGB2018" retention_in_days = 30 }

resource "azurerm_storage_account" "storage_account_ok" { name = "examplestoracc" resource_group_name = azurerm_resource_group.resource_group_ok.name location = azurerm_resource_group.resource_group_ok.location account_tier = "Standard" account_replication_type = "LRS" }

resource "azurerm_log_analytics_storage_insights" "analytics_storage_insights_ok" { name = "example-storageinsightconfig" resource_group_name = azurerm_resource_group.resource_group_ok.name workspace_id = azurerm_log_analytics_workspace.analytics_workspace_ok.id

storage_account_id = azurerm_storage_account.storage_account_ok.id storage_account_key = azurerm_storage_account.storage_account_ok.primary_access_key blob_container_names= ["blobExample_ok"] }

resource "azurerm_storage_container" "storage_container_ok" { name = "my-awesome-content.zip" storage_account_name = azurerm_storage_account.storage_account_ok.name storage_container_name = azurerm_storage_container.storage_container_ok.name container_access_type = "blob" }

Instead the code that would produce StorageBlobLogs would look like: { "resource "azurerm_resource_group" "resource_group_ok" { name = "example-resources" location = "West Europe" }

resource "azurerm_log_analytics_workspace" "analytics_workspace_ok" { name = "exampleworkspace" location = azurerm_resource_group.resource_group_ok.location resource_group_name = azurerm_resource_group.resource_group_ok.name sku = "PerGB2018" retention_in_days = 30 }

resource "azurerm_storage_account" "storage_account_ok" { name = "examplestoracc" resource_group_name = azurerm_resource_group.resource_group_ok.name location = azurerm_resource_group.resource_group_ok.location account_tier = "Standard" account_replication_type = "LRS" }

resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_ok" { log_analytics_workspace_id = azurerm_log_analytics_workspace.analytics_workspace_ok.id name = "examplediagsetting" target_resource_id = "${azurerm_storage_account.storage_account_ok.id}/blobServices/default" enabled_log { category_group = "allLogs" }

metric { category = "Capacity" enabled = false }

metric { category = "Transaction" enabled = false } }

resource "azurerm_storage_container" "storage_container_ok" { name = "my-awesome-content.zip" storage_account_name = azurerm_storage_account.storage_account_ok.name storage_container_name = azurerm_storage_container.storage_container_ok.name container_access_type = "blob" }

Version (please complete the following information):