Key Vault logging should be enabled

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Remediation Steps

Azure Portal

  • Navigate to Key Vaults.

  • For each key vault:

    • Select Diagnostic logs.

    • Select Add diagnostic setting.

    • Enter a diagnostic setting name.

    • Under Category details > log, select AuditEvent.

    • Under Destination details, select Archive to a storage account.

    • Select the subscription and storage account.

    • Under Category details > log, set Retention (days) to 180 or more.

Azure CLI

  • To enable AuditEvent logging for a key vault:

az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
  --storage-account {storage account ID} \
  --logs '[
     {
       "category": "AuditEvent",
       "enabled": true,
       "retentionPolicy": {
         "enabled": true,
         "days": 180
       }
     }
   ]'

Azure Resource Manager

{
  "properties": {
    "logs": [
      {
        "enabled": true,
        "retentionPolicy": {
          "days": 180,
          "enabled": true
        }
      }
    ]
  }
}

Example Configuration

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2021-04-01-preview",
  "name": "TestVault"
  # other required fields here
}
{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "name": "Test1",
  "properties": {
    "logs": [
      {
        "enabled": true,
        "retentionPolicy": {
          "days": 180,
          "enabled": true
        }
      }
    ]
  }
  # other required fields here
}

Terraform

Example Configuration

resource "azurerm_key_vault" "example" {
  name = "example"
  # other required fields here
}

resource "azurerm_monitor_diagnostic_setting" "example" {
  name                = "example"
  target_resource_id  = azurerm_key_vault.example.id

  log {
    enabled = true

    retention_policy {
      enabled = true
      days = 180
    }
  }
  # other required fields here
}