Key Vault logging should be enabled¶
Description¶
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
Remediation Steps¶
Azure Portal¶
Navigate to Key Vaults.
For each key vault:
Select Diagnostic logs.
Select Add diagnostic setting.
Enter a diagnostic setting name.
Under Category details > log, select AuditEvent.
Under Destination details, select Archive to a storage account.
Select the subscription and storage account.
Under Category details > log, set Retention (days) to 180 or more.
Azure CLI¶
To enable AuditEvent logging for a key vault:
az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
--storage-account {storage account ID} \
--logs '[
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"enabled": true,
"days": 180
}
}
]'
Azure Resource Manager¶
Ensure that a Microsoft.Insights/diagnosticSettings resource for a Microsoft.KeyVault/vaults resource contains the following:
{
"properties": {
"logs": [
{
"enabled": true,
"retentionPolicy": {
"days": 180,
"enabled": true
}
}
]
}
}
Example Configuration¶
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-04-01-preview",
"name": "TestVault"
# other required fields here
}
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "Test1",
"properties": {
"logs": [
{
"enabled": true,
"retentionPolicy": {
"days": 180,
"enabled": true
}
}
]
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_monitor_diagnostic_setting for a azurerm_key_vault contains the following:
log.enabled
= truelog.retention_policy.enabled
= truelog.retention_policy.days
>= 180
Example Configuration¶
resource "azurerm_key_vault" "example" {
name = "example"
# other required fields here
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "example"
target_resource_id = azurerm_key_vault.example.id
log {
enabled = true
retention_policy {
enabled = true
days = 180
}
}
# other required fields here
}