Audit Key Vault Data Access#

Security · Key Vault · 2020_06

Ensure audit diagnostics logs are enabled to audit Key Vault access.

Description#

To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.

When configuring diagnostics settings, enable one of the following:

AuditEvent category.
audit category group.
allLogs category group.

Management operations for Key Vault is captured automatically within Azure Activity Logs.

Recommendation#

Configure audit diagnostics logs to audit Key Vault access.

Examples#

Configure with Azure template#

To deploy key vaults that pass this rule:

Deploy a diagnostic settings sub-resource (extension resource).
Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Template snippet

{
    "comments": "Create or update a Key Vault.",
    "type": "Microsoft.KeyVault/vaults",
    "name": "[parameters('vaultName')]",
    "apiVersion": "2022-07-01",
    "location": "[parameters('location')]",
    "properties": {
        "accessPolicies": [],
        "tenantId": "[subscription().tenantId]",
        "sku": {
            "name": "Standard",
            "family": "A"
        }
    },
    "resources": [
        {
            "comments": "Enable monitoring of Key Vault operations.",
            "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
            "name": "[concat(parameters('vaultName'), '/Microsoft.Insights/service')]",
            "apiVersion": "2021-05-01-preview",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaultName'))]"
            ],
            "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "logs": [
                    {
                        "category": "AuditEvent",
                        "enabled": true
                    }
                ]
            }
        }
    ]
}

Configure with Bicep#

To deploy key vaults that pass this rule:

Deploy a diagnostic settings sub-resource (extension resource).
Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Bicep snippet

resource keyVaultResource 'Microsoft.KeyVault/vaults@2022-07-01' = {
  name: parmVaultName
  location: parmLocation
  properties: {
    accessPolicies: []
    tenantId: subscription().tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
}

resource keyVaultInsightsResource 'Microsoft.KeyVault/vaults/providers/diagnosticSettings@2022-05-01-preview' = {
  name: '${parmVaultName}/Microsoft.Insights/service'
  dependsOn: [
    keyVaultResource
  ]
  location: parmLocation
  properties: {
    workspaceId: parmWorkspaceId
    logs: [
      {
        category: 'AuditEvent'
        enabled: true
      }
    ]
  }
}

Links#

Last update: 2022-11-20