lacework-global-557
Ensure that logging for Azure Key Vault is 'Enabled' (Automated)
Profile Applicability
• Level 1
Description
Enable Audit Logs logging for key vault instances to log interactions with key vaults.
Rationale
Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.
Audit
From Azure Portal
- Go to
Key vaults
. - For each Key vault.
- Go to
Diagnostic settings
. - Click
Edit setting
. - Ensure that a destination is configured.
- Under
Category groups
, ensure thataudit
andallLogs
are checked.
From Azure CLI
List all key vaults
az keyvault list
For each keyvault id
az monitor diagnostic-settings list --resource <id>
Ensure that storageAccountId
is set as appropriate. Also, ensure that category
and days
are set. One of the sample outputs is as below.
"logs": [
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
]
Remediation
From Azure Portal
- Go to
Key vaults
. - Select a Key vault.
- Select
Diagnostic settings
. - Click
Edit setting
to update an existing diagnostic setting, or Add diagnostic setting to create a new one. - If creating a new diagnostic setting, provide a name.
- Configure an appropriate destination.
- Under
Category groups
, selectaudit
andallLogs
. - Click
Save
.
From Azure CLI
To create a new diagnostic setting:
az monitor diagnostic-settings create --name "<diagnostic_setting_name>" --resource <key_vault_id> --logs "[{categoryGroup:audit,enabled:true},{categoryGroup:allLogs,enabled:true}]" --metrics "[{category:AllMetrics,enabled:true}]" <[--event-hub <event_hub_ID> --event-hub-rule <event_hub_auth_rule_ID> | --storage-account <storage_account_ID> |--workspace <log_analytics_workspace_ID> | --marketplace-partner-id <solution_resource_ID>]>
References
https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation