Key Vault logging should be enabled

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Remediation Steps

Azure Portal

  • Navigate to Key Vaults.

  • For each key vault:

    • Select Diagnostic logs.

    • Select Add diagnostic setting.

    • Enter a diagnostic setting name.

    • Under Category details > log, select AuditEvent.

    • Under Destination details, select Archive to a storage account.

    • Select the subscription and storage account.

    • Under Category details > log, set Retention (days) to 180 or more.

Azure CLI

  • To enable AuditEvent logging for a key vault:

az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
  --storage-account {storage account ID} \
  --logs '[
     {
       "category": "AuditEvent",
       "enabled": true,
       "retentionPolicy": {
         "enabled": true,
         "days": 180
       }
     }
   ]'

Terraform

Example Configuration

resource "azurerm_key_vault" "example" {
  name = "example"
  # other required fields here
}

resource "azurerm_monitor_diagnostic_setting" "example" {
  name                = "example"
  target_resource_id  = azurerm_key_vault.example.id

  log {
    enabled = true

    retention_policy {
      enabled = true
      days = 180
    }
  }
  # other required fields here
}