Ensure that AuditEvent logging is enabled for Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Monitoring how and when your Azure Key Vaults are accessed, and by whom, enables an audit trail of interactions with private information, encryption keys and certificates managed by Azure Key Vault service. Enabling logging for Key Vault saves information in a Microsoft Azure storage account that you provide during setup. A new storage container named "insights-logs-auditevent" is automatically created for the storage account that you specified.
Audit
To determine if your Azure Key Vaults have AuditEvent logging enabled, perform the following actions:
Remediation / Resolution
By default, diagnostic AuditEvent logging is not enabled for Azure Key Vault instances. To enable and configure AuditEvent logging for your Microsoft Azure Key Vaults, perform the following actions:
References
- Azure Official Documentation
- Azure Key Vault logging
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az monitor log-profiles
- az keyvault list
- az monitor diagnostic-settings list
- az monitor diagnostic-settings create
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable AuditEvent Logging for Azure Key Vaults
Risk level: Medium