Skip to content

Key Vault logging should be enabled¶

Description¶

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Portal Remediation Steps¶

Navigate to Key Vaults.
For each key vault:
- Select Diagnostic logs.
- Select Add diagnostic setting.
- Enter a diagnostic setting name.
- Under Category details > log, select AuditEvent.
- Under Destination details, select Archive to a storage account.
- Select the subscription and storage account.
- Under Category details > log, set Retention (days) to 180 or more.

CLI Remediation Steps¶

To enable AuditEvent logging for a key vault:

az monitor diagnostic-settings create --subscription {subscription ID} --resource {key vault ID} -n my-key-vault-log \
  --storage-account {storage account ID} \
  --logs '[
     {
       "category": "AuditEvent",
       "enabled": true,
       "retentionPolicy": {
         "enabled": true,
         "days": 180
       }
     }
   ]'

Documentation Links¶