Skip to main content

lacework-global-557

5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)

Profile Applicability

• Level 1

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Rationale

Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.

Audit

From Azure Portal

  1. Go to Key vaults
  2. For each Key vault
  3. Go to Diagnostic settings
  4. Click on Edit Settings
  5. Ensure that Archive to a storage account is Enabled
  6. Ensure that AuditEvent is checked, and the retention days is set to 180 days or as appropriate

From Azure CLI

List all key vaults

az keyvault list

For each keyvault id

az monitor diagnostic-settings list --resource <id>

Ensure that storageAccountId is set as appropriate. Also, ensure that category and days are set. One of the sample outputs is as below.

"logs": [
 {
 "category": "AuditEvent",
 "enabled": true,
 "retentionPolicy": {
 "days": 180,
 "enabled": true
 }
 }
 ]

Remediation

From Azure Portal

  1. Go to Key vaults
  2. For each Key vault
  3. Go to Diagnostic settings
  4. Click on Edit Settings
  5. Enable Archive to a storage account
  6. Check AuditEvent
  7. Change the retention days to be 180, 0 (for indefinite) or as appropriate

From Azure CLI

az monitor diagnostic-settings update --name "Key vault retention policy" --resource "" --set retentionPolicy.days=90

References

https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation