Key Vault logging should be enabled

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Portal Remediation Steps

  • Navigate to Key Vaults.

  • For each key vault:

    • Select Diagnostic logs.

    • Select Add diagnostic setting.

    • Enter a diagnostic setting name.

    • Under Category details > log, select AuditEvent.

    • Under Destination details, select Archive to a storage account.

    • Select the subscription and storage account.

    • Under Category details > log, set Retention (days) to 180 or more.

CLI Remediation Steps

  • To enable AuditEvent logging for a key vault:

az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
  --storage-account {storage account ID} \
  --logs '[
     {
       "category": "AuditEvent",
       "enabled": true,
       "retentionPolicy": {
         "enabled": true,
         "days": 180
       }
     }
   ]'