Skip to content

Audit Key Vault data access#

Security · Key Vault · Azure.KeyVault.Logs

Audit and monitor access to Key Vault data.

Description#

To capture access to Key Vault data, diagnostic settings must be configured. When configuring diagnostics settings enable access logs.

Management operations for Key Vault is captured automatically within Azure Activity Logs.

Recommendation#

Consider configuring diagnostic settings to log access for Key Vault data. Also consider, storing the access data into Azure Monitor and using Key Vault Analytics.

Examples#

Configure with Azure template#

To deploy key vaults that pass this rule:

  • Deploy a diagnostic settings sub-resource.
  • Enable logging for the AuditEvent category.

For example:

{
    "comments": "Create or update a Key Vault.",
    "type": "Microsoft.KeyVault/vaults",
    "name": "[parameters('vaultName')]",
    "apiVersion": "2019-09-01",
    "location": "[parameters('location')]",
    "properties": {
        "accessPolicies": [],
        "tenantId": "[subscription().tenantId]",
        "sku": {
            "name": "Standard",
            "family": "A"
        }
    },
    "resources": [
        {
            "comments": "Enable monitoring of Key Vault operations.",
            "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
            "name": "[concat(parameters('vaultName'), '/Microsoft.Insights/service')]",
            "apiVersion": "2016-09-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaultName'))]"
            ],
            "properties": {
                "workspaceId": "[parameters('workspaceId')]",
                "logs": [
                    {
                        "category": "AuditEvent",
                        "enabled": true
                    }
                ]
            }
        }
    ]
}

Last update: 2021-09-24