Skip to content

Audit Key Vault Data Access#

Security · Key Vault · Rule · 2020_06 · Important

Ensure audit diagnostics logs are enabled to audit Key Vault access.

Description#

To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.

When configuring diagnostics settings, enable one of the following:

  • AuditEvent category.
  • audit category group.
  • allLogs category group.

Management operations for Key Vault is captured automatically within Azure Activity Logs.

Recommendation#

Configure audit diagnostics logs to audit Key Vault access.

Examples#

Configure with Azure template#

To deploy key vaults that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Template snippet
{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2021-05-01-preview",
      "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
      "name": "logs",
      "properties": {
        "workspaceId": "[parameters('workspaceId')]",
        "logs": [
          {
            "category": "AuditEvent",
            "enabled": true
          }
        ]
      },
      "dependsOn": [
        "[parameters('name')]"
      ]
    }
  ]
}

Configure with Bicep#

To deploy key vaults that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable AuditEvent category or audit category group or allLogs category group.

For example:

Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: vault
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'AuditEvent'
        enabled: true
      }
    ]
  }
}

Comments