Audit Key Vault Data Access#
Security · Key Vault · 2020_06
Ensure audit diagnostics logs are enabled to audit Key Vault access.
Description#
To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.
When configuring diagnostics settings, enable one of the following:
AuditEvent
category.audit
category group.allLogs
category group.
Management operations for Key Vault is captured automatically within Azure Activity Logs.
Recommendation#
Configure audit diagnostics logs to audit Key Vault access.
Examples#
Configure with Azure template#
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEvent
category oraudit
category group orallLogs
category group.
For example:
Azure Template snippet
{
"comments": "Create or update a Key Vault.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaultName')]",
"apiVersion": "2022-07-01",
"location": "[parameters('location')]",
"properties": {
"accessPolicies": [],
"tenantId": "[subscription().tenantId]",
"sku": {
"name": "Standard",
"family": "A"
}
},
"resources": [
{
"comments": "Enable monitoring of Key Vault operations.",
"type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
"name": "[concat(parameters('vaultName'), '/Microsoft.Insights/service')]",
"apiVersion": "2021-05-01-preview",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', parameters('vaultName'))]"
],
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "AuditEvent",
"enabled": true
}
]
}
}
]
}
Configure with Bicep#
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEvent
category oraudit
category group orallLogs
category group.
For example:
Azure Bicep snippet
resource keyVaultResource 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: parmVaultName
location: parmLocation
properties: {
accessPolicies: []
tenantId: subscription().tenantId
sku: {
name: 'standard'
family: 'A'
}
}
}
resource keyVaultInsightsResource 'Microsoft.KeyVault/vaults/providers/diagnosticSettings@2022-05-01-preview' = {
name: '${parmVaultName}/Microsoft.Insights/service'
dependsOn: [
keyVaultResource
]
location: parmLocation
properties: {
workspaceId: parmWorkspaceId
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
}
Links#
- Security logs and alerts using Azure services
- Best practices to use Key Vault
- Azure Key Vault logging
- Azure Key Vault security
- Monitoring your Key Vault service with Key Vault insights
- Template Reference
Last update:
2022-11-20