Skip to main content

lacework-global-557

Ensure that logging for Azure Key Vault is 'Enabled' (Automated)

Profile Applicability

• Level 1

Description

Enable Audit Logs logging for key vault instances to log interactions with key vaults.

Rationale

Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.

Audit

From Azure Portal

  1. Go to Key vaults.
  2. For each Key vault.
  3. Go to Diagnostic settings.
  4. Click Edit setting.
  5. Ensure that a destination is configured.
  6. Under Category groups, ensure that audit and allLogs are checked.

From Azure CLI

List all key vaults

az keyvault list

For each keyvault id

az monitor diagnostic-settings list --resource <id>

Ensure that storageAccountId is set as appropriate. Also, ensure that category and days are set. One of the sample outputs is as below.

"logs": [
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
]

Remediation

From Azure Portal

  1. Go to Key vaults.
  2. Select a Key vault.
  3. Select Diagnostic settings.
  4. Click Edit setting to update an existing diagnostic setting, or Add diagnostic setting to create a new one.
  5. If creating a new diagnostic setting, provide a name.
  6. Configure an appropriate destination.
  7. Under Category groups, select audit and allLogs.
  8. Click Save.

From Azure CLI

To create a new diagnostic setting:

az monitor diagnostic-settings create --name "<diagnostic_setting_name>" --resource <key_vault_id> --logs "[{categoryGroup:audit,enabled:true},{categoryGroup:allLogs,enabled:true}]" --metrics "[{category:AllMetrics,enabled:true}]" <[--event-hub <event_hub_ID> --event-hub-rule <event_hub_auth_rule_ID> | --storage-account <storage_account_ID> |--workspace <log_analytics_workspace_ID> | --marketplace-partner-id <solution_resource_ID>]>

References

https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation