Logo of Trend Micro

Enable AuditEvent Logging for Azure Key Vaults

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: KeyVault-004

Ensure that AuditEvent logging is enabled for Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Monitoring how and when your Azure Key Vaults are accessed, and by whom, enables an audit trail of interactions with private information, encryption keys and certificates managed by Azure Key Vault service. Enabling logging for Key Vault saves information in a Microsoft Azure storage account that you provide during setup. A new storage container named "insights-logs-auditevent" is automatically created for the storage account that you specified.

Audit

To determine if your Azure Key Vaults have AuditEvent logging enabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available within your Azure account.

04 Click on the name (link) of the Key Vault instance that you want to examine.

05 In the navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic configuration settings available for the selected Key Vault.

06 On Diagnostic settings page, check for any diagnostic settings defined. If there are no diagnostic settings defined at all, the verified Azure Key Vault does not have diagnostic logging enabled. If there are one or more diagnostic settings already defined but these are not including AuditEvent logging (i.e. the AuditEvent checkbox is not selected), the selected Microsoft Azure Key Vault does not have AuditEvent logging enabled.

07 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the identifiers (IDs) of all Key Vault instances available in the current Azure subscription: 

az keyvault list
	--query '[*].id'

02 The command output should return the requested Azure resource ID(s): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault",
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the Key Vault returned at the previous step as identifier parameter and custom query filters to get the active diagnostic settings list for the specified Azure Key Vault: 

az monitor diagnostic-settings list
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault"
	--query 'value'

04 The command output should return the diagnostic settings metadata (including AuditEvent logging metadata) available for the selected Key Vault:

  1. If the command output returns an empty array, as shown in the example below, there are no diagnostic settings currently defined, therefore the selected Azure Key Vault does not have diagnostic logging enabled. 
    []
  2. If monitor diagnostic-settings list command output returns any configuration metadata, check the value (boolean) set for "enabled" configuration attribute associated with the "AuditEvent" log category. If "enabled" is set to false, as shown in the output example below, the diagnostic settings defined for the specified resource does not include AuditEvent logging, thus the selected Microsoft Azure Key Vault does not have AuditEvent logging enabled. 
    [
  {
    ...

    "logs": [
      {
        "category": "AuditEvent",
        "enabled": false,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],

    ...

  }
]

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

By default, diagnostic AuditEvent logging is not enabled for Azure Key Vault instances. To enable and configure AuditEvent logging for your Microsoft Azure Key Vaults, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available within your Azure account.

04 Click on the name (link) of the Key Vault instance that you want to reconfigure.

05 In the navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic configuration settings available for the selected Key Vault.

06 On the Diagnostic settings page, click Add diagnostic setting and perform the following commands:

  1. Provide a unique name for the new diagnostic setting in the Name box.
  2. Select Archive to a storage account checkbox, click on Configure storage account and select an existing account for AuditEvent logging storage from the Storage Account dropdown list.
  3. Select AuditEvent checkbox available in the LOG configuration section and set the number of days to retain AuditEvent log data for the selected Key Vault in the Retention (days) box to 365 or 0, or use the slider control to set the right value. A setting of 0 (zero) days retains the AuditEvent logs forever.
  4. Click Save to apply the configuration changes.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new Key Vault diagnostic setting that will enable and configure AuditEvent logging for the specified Microsoft Azure Key Vault. For example, the following monitor diagnostic-settings create command request creates a diagnostic setting with the name "cc-audit-event-log-setting", for an Azure Key Vault identified by ID "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault", that retains AuditEvent logging data for 365 days within a storage account identified by the ID "abcdabcdabcdabcdabcdabcd": 

az monitor diagnostic-settings create
	--name cc-audit-event-log-setting
	--resource /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault
	--storage-account abcdabcdabcdabcdabcdabcd
	--logs '[{"category": "AuditEvent","enabled": true,"retentionPolicy": {"enabled": true,"days": 365}}]'

02 The command output should return the configuration metadata for the newly created Azure Key Vault diagnostic setting: 

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-main-key-vault/providers/microsoft.insights/diagnosticSettings/cc-audit-event-log-setting",
  "identity": null,
  "kind": null,
  "location": null,
  "logs": [
    {
      "category": "AuditEvent",
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      }
    }
  ],
  "metrics": [],
  "name": "cc-audit-event-log-setting",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd",
  "tags": null,
  "type": null,
  "workspaceId": null
}

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019

Related KeyVault rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable AuditEvent Logging for Azure Key Vaults

Risk level: Medium