Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable AuditEvent Logging for Azure Key Vaults

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-004

Ensure that AuditEvent logging is enabled for all Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Monitoring how and when your Azure Key Vaults are accessed, and by whom, enables an audit trail of interactions with private information, encryption keys and certificates managed by the Azure Key Vault service. Enabling logging for Key Vault saves information to an Azure storage account that you provide during setup.

Audit

To determine if the AuditEvent logging is enabled for your Azure Key Vaults, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Subscription equals filter and select the Azure subscription that you want to examine.

04 Choose the Type equals filter, select Equals for Operator, and choose Key vault for Value to list the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Key Vault instance that you want to examine.

06 In the left navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic settings available for the selected Azure Key Vault.

07 On the Diagnostic settings configuration page, check for any defined diagnostic settings. If there are no diagnostic settings listed on this page, audit logging is not enabled for the verified Azure Key Vault. If there are one or more diagnostic settings defined, choose Edit setting to access the feature settings. If none of the defined diagnostic settings are configured with access logging (i.e. the Audit Logs checkbox is not selected), AuditEvent logging is not enabled for the selected Microsoft Azure Key Vault.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Azure Key Vault available within the selected subscription: 

az keyvault list
  --query '[*].id'

02 The command output should return the requested resource identifiers (IDs): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault",
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the Key Vault that you want to examine as the identifier parameter and custom query filters to describe the active diagnostic settings defined for the specified Azure Key Vault: 

az monitor diagnostic-settings list
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault"
  --query '[*].logs | []'

04 The command output should return the diagnostic settings information available for the selected Key Vault (including AuditEvent logging information):

  1. If the command output returns an empty array (i.e. []), as shown in the output example below, there are no diagnostic settings currently defined, thus audit logging is not enabled for the selected Microsoft Azure Key Vault: 
    []
  2. If the monitor diagnostic-settings list command output returns any configuration information, check the "enabled" attribute value (boolean) associated with the "AuditEvent" log category. If "enabled" is set to false, as shown in the output example below, the diagnostic settings defined for the specified resource does not include audit logging, therefore AuditEvent logging is not enabled for the selected Microsoft Azure Key Vault: 
    [
  {
    "category": "AuditEvent",
    "categoryGroup": null,
    "enabled": false,
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    }
  },
  {
    "category": "AzurePolicyEvaluationDetails",
    "categoryGroup": null,
    "enabled": true,
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    }
  }
]

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

By default, AuditEvent logging is not enabled for Microsoft Azure Key Vault instances. To enable and configure AuditEvent logging for your Azure Key Vaults, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Subscription equals filter and select the Azure subscription that you want to access.

04 Choose the Type equals filter, select Equals for Operator, and choose Key vault for Value to list the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Key Vault instance that you want to reconfigure.

06 In the navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic settings available for the selected Azure Key Vault.

07 On the Diagnostic settings configuration page, choose + Add diagnostic setting and perform the following operations:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. For Destination details, select Archive to a storage account, choose the Azure subscription and the storage account required for audit log file storage.
  3. For Logs, select the Audit Logs checkbox available in the Categories section to enable AuditEvent logging for the new diagnostic setting. Set the number of days to retain log data for the selected Key Vault in the Retention (days) box to 365 or 0. A setting of 0 (zero) days retains the logs forever.
  4. Choose Save to apply the changes.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new Key Vault diagnostic setting that will enable and configure AuditEvent logging for the specified Azure Key Vault. For example, the following monitor diagnostic-settings create command request creates a diagnostic setting with the name "cc-audit-event-log-setting", for an Azure Key Vault identified by ID "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault", that retains AuditEvent logging data for 365 days within a storage account identified by the ID "abcdabcdabcdabcdabcdabcd": 

az monitor diagnostic-settings create
  --name cc-audit-event-log-setting
  --resource /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault
  --storage-account abcdabcdabcdabcdabcdabcd
  --logs '[{"category": "AuditEvent","enabled": true,"retentionPolicy": {"enabled": true,"days": 365}}]'

02 The command output should return the configuration metadata for the newly created Azure Key Vault diagnostic setting: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-main-key-vault/providers/microsoft.insights/diagnosticSettings/cc-audit-event-log-setting",
	"logs": [
		{
			"category": "AuditEvent",
			"enabled": true,
			"retentionPolicy": {
				"days": 365,
				"enabled": true
			}
		}
	],
	"metrics": [],
	"name": "cc-audit-event-log-setting",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd",
	"type": "Microsoft.Insights/diagnosticSettings"
}

03 Repeat steps no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019

Related KeyVault rules