Skip to content

Audit Automation Account data access#

Security · Automation Account · Rule · 2021_12 · Important

Ensure automation account audit diagnostic logs are enabled.

Description#

To capture logs that record interactions with data or the settings of the automation account, diagnostic settings must be configured.

When configuring diagnostic settings, enabled one of the following:

  • AuditEvent category.
  • audit category group.
  • allLogs category group.

Management operations for Automation Account is captured automatically within Azure Activity Logs.

Recommendation#

Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.

Examples#

Configure with Azure template#

To deploy Automation accounts that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Template snippet
{
    "parameters": {
        "automationAccountName": {
            "defaultValue": "automation-account1",
            "type": "String"
        },
        "location": {
          "type": "String"
        },
        "workspaceId": {
          "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Automation/automationAccounts",
            "apiVersion": "2021-06-22",
            "name": "[parameters('automationAccountName')]",
            "location": "[parameters('location')]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "disableLocalAuth": false,
                "sku": {
                    "name": "Basic"
                },
                "encryption": {
                    "keySource": "Microsoft.Automation",
                    "identity": {}
                }
            }
        },
        {
            "comments": "Enable monitoring of Automation Account operations.",
            "type": "Microsoft.Insights/diagnosticSettings",
            "name": "[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]",
            "apiVersion": "2021-05-01-preview",
            "dependsOn": [
                "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]"
            ],
            "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "logs": [
                    {
                        "category": "AuditEvent",
                        "enabled": true,
                        "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                        }
                    }
                ]
            }
        }
    ]
}

Configure with Bicep#

To deploy Automation accounts that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Bicep snippet
param automationAccountName string = 'automation-account1'
param location string
param workspaceId string

resource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: automationAccountName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    sku: {
      name: 'Basic'
    }
    encryption: {
      keySource: 'Microsoft.Automation'
      identity: {}
    }
  }
}

resource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'diagnosticSettings'
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'AuditEvent'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
    ]
  }
  dependsOn: [
    automationAccountResource
  ]
}

Comments