Key Vault logging should be enabled

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Remediation Steps

Azure Portal

• Navigate to Key Vaults.

• For each key vault:

  • Select Diagnostic logs.

  • Select Add diagnostic setting.

  • Enter a diagnostic setting name.

  • Under Category details > log, select AuditEvent.

  • Under Destination details, select Archive to a storage account.

  • Select the subscription and storage account.

  • Under Category details > log, set Retention (days) to 180 or more.

Azure CLI

• To enable AuditEvent logging for a key vault:

az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
  --storage-account {storage account ID} \
  --logs '[
     {
       "category": "AuditEvent",
       "enabled": true,
       "retentionPolicy": {
         "enabled": true,
         "days": 180
       }
     }
   ]'

Azure Resource Manager

• Ensure that a Microsoft.Insights/diagnosticSettings resource for a Microsoft.KeyVault/vaults resource contains the following:

{
  "properties": {
    "logs": [
      {
        "enabled": true,
        "retentionPolicy": {
          "days": 180,
          "enabled": true
        }
      }
    ]
  }
}

Example Configuration

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2021-04-01-preview",
  "name": "TestVault"
  # other required fields here
}
{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "name": "Test1",
  "properties": {
    "logs": [
      {
        "enabled": true,
        "retentionPolicy": {
          "days": 180,
          "enabled": true
        }
      }
    ]
  }
  # other required fields here
}

Terraform

• Ensure that an azurerm_monitor_diagnostic_setting for a azurerm_key_vault contains the following:

  • log.enabled = true

  • log.retention_policy.enabled = true

  • log.retention_policy.days >= 180

Example Configuration

resource "azurerm_key_vault" "example" {
  name = "example"
  # other required fields here
}

resource "azurerm_monitor_diagnostic_setting" "example" {
  name                = "example"
  target_resource_id  = azurerm_key_vault.example.id

  log {
    enabled = true

    retention_policy {
      enabled = true
      days = 180
    }
  }
  # other required fields here
}

Documentation Links

Runtime

• Azure Key Vault Logging

• CLI: azure monitor diagnostic-settings create

Azure Resource Manager

• Resource: Microsoft.KeyVault/vaults

• Resource: Microsoft.Insights/diagnosticSettings

Terraform

• Resource: azurerm_monitor_diagnostic_setting

  • Field: enabled

  • Block: retention_policy