Logging for Azure Key Vault is Not Enabled

Overview

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.

Remediation from Azure Portal:

Go to Key vaults
Select a Key vault
Select Diagnostic settings
Click on Edit setting against an existing diagnostic setting, or Add diagnostic setting
If creating a new diagnostic setting, provide a name
Check Archive to a storage account
Under Categories, check Audit Logs
Set an appropriate value for Retention (days)
Click Save

Vendor

Azure

Cloud Service

KeyVault

CIS Azure v2.0.0 5.1.5

References

https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Severity

Item Types

Microsoft.KeyVault.vaults

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​