Ensure that logging for Azure Key Vault is 'Enabled'

Configuring AuditEvent logging for Key Vault instances ensures interactions with Key Vaults are logged and available.

Risk Level: Low
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.LOG.12
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have diagnosticSettings contain [ logs contain [ (category='AuditEvent' or categoryGroup='audit') and enabled=true ] ]

REMEDIATION

From Portal

  1. Go to 'Key vaults' and choose your Key Vault
  2. Select 'Diagnostic settings' under 'Monitoring' in the navigation menu
  3. Select 'Add diagnostic setting' or choose an existing one
  4. Under 'Categories' check 'Audit Logs' or 'Azure Policy Evaluation Details'
  5. Select 'Archive to a storage account' and Save.

Note: Configuring diagnostic settings for Azure Key Vault using TF/Azure CLI requires additional configurations, for more information please check the documentation below.

References

  1. https://workbench.cisecurity.org/sections/1051556/recommendations/1715932
  2. https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings
  3. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?WT.mc_id=Portal-Microsoft_Azure_Monitoring&tabs=portal
  4. https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault#interpret-your-key-vault-logs
  5. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure ITSG-33
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark