lacework-global-557
5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)
Profile Applicability
• Level 1
Description
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
Rationale
Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.
Audit
From Azure Portal
- Go to
Key vaults
- For each Key vault
- Go to
Diagnostic settings
- Click on
Edit Settings
- Ensure that
Archive to a storage account
isEnabled
- Ensure that
AuditEvent
is checked, and the retention days is set to180 days
or as appropriate
From Azure CLI
List all key vaults
az keyvault list
For each keyvault id
az monitor diagnostic-settings list --resource <id>
Ensure that storageAccountId
is set as appropriate. Also, ensure that category
and days
are set. One of the sample outputs is as below.
"logs": [
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 180,
"enabled": true
}
}
]
Remediation
From Azure Portal
- Go to
Key vaults
- For each Key vault
- Go to
Diagnostic settings
- Click on
Edit Settings
- Enable
Archive to a storage account
- Check
AuditEvent
- Change the retention days to be 180, 0 (for indefinite) or as appropriate
From Azure CLI
az monitor diagnostic-settings update --name "Key vault retention policy" --resource "" --set retentionPolicy.days=90
References
https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation