Audit Key Vault Data Access#
Security · Key Vault · Rule · 2020_06 · Important
Ensure audit diagnostics logs are enabled to audit Key Vault access.
Description#
To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.
When configuring diagnostics settings, enable one of the following:
AuditEvent
category.audit
category group.allLogs
category group.
Management operations for Key Vault is captured automatically within Azure Activity Logs.
Recommendation#
Configure audit diagnostics logs to audit Key Vault access.
Examples#
Configure with Azure template#
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEvent
category oraudit
category group orallLogs
category group.
For example:
Azure Template snippet
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
"name": "logs",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "AuditEvent",
"enabled": true
}
]
},
"dependsOn": [
"[parameters('name')]"
]
}
]
}
Configure with Bicep#
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEvent
category oraudit
category group orallLogs
category group.
For example:
Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'logs'
scope: vault
properties: {
workspaceId: workspaceId
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
}
Links#
- SE:10 Monitoring and threat detection
- LT-4: Enable logging for security investigation
- Best practices to use Key Vault
- Azure Key Vault logging
- Azure Key Vault security
- Monitoring your Key Vault service with Key Vault insights
- Azure deployment reference