📝 Azure Diagnostic Setting for Azure Key Vault is not enabled 🟢

• Contextual name: 📝 Diagnostic Setting for Azure Key Vault is not enabled 🟢
• ID: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault
• Located in: 📁 Azure Monitor

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enable AuditEvent Logging for Azure Key Vaults
• Internal
  • dec-x-b2ce0ca1

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b2ce0ca1	1

Description

Open File

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Rationale

Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user provided destination of either an Azure storage account or Log Analytics workspace. The same destination can be used for collecting logs for multiple Key Vaults.

Audit

From Azure Portal

1. Go to Key vaults.
2. For each Key vault, under Monitoring, go to Diagnostic settings.
3. Click Edit setting next to a diagnostic setting.
4. Ensure that a destination is configured.
5. Under Category groups, ensure that audit and allLogs are checked.

From Azure CLI

List all key vaults:

az keyvault list

For each keyvault id:

az monitor diagnostic-settings list --resource <id>

Ensure that storageAccountId reflects your desired destination and that categoryGroup and enabled are set as follows in the sample outputs below:

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Key vaults.
2. Select a Key vault.
3. Select Diagnostic settings.
4. Click Edit setting to update an existing diagnostic setting, or Add diagnostic setting to create a new one.
5. If creating a new diagnostic setting, provide a name.
6. Configure an appropriate destination.
7. Under Category groups, check audit and allLogs.
8. Click Save.

From Azure CLI

To update an existing Diagnostic Settings:

az monitor diagnostic-settings update --name "<diagnostic_setting_name>" --resource <key_vault_id>

To create a new Diagnostic Settings:

az monitor diagnostic-settings create --name "<diagnostic_setting_name>" --resource <key_vault_id> --logs "[{category:audit,enabled:true},{category:allLogs,enabled:true}]" --metrics "[{category:AllMetrics,enabled:true}]" --event-hub <event_hub_ID> --event-hub-rule <event_hub_auth_rule_ID> | --storage-account <storage_account_ID> |--workspace <log_analytics_workspace_ID> | --marketplace-partner-id <solution_resource_ID>

From PowerShell

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		18	21
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		7	8
💼 CIS Azure v1.1.0 → 💼 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled'		1	1
💼 CIS Azure v1.3.0 → 💼 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' - Level 1 (Automated)		1	1
💼 CIS Azure v1.4.0 → 💼 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' - Level 1 (Automated)		1	1
💼 CIS Azure v1.5.0 → 💼 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)		1	1
💼 CIS Azure v2.0.0 → 💼 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)		1	1
💼 CIS Azure v2.1.0 → 💼 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)		1	1
💼 CIS Azure v3.0.0 → 💼 6.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	23
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	21	26
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	3	9	11
💼 FedRAMP High Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)		17	19
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		47
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		21
💼 FedRAMP High Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)		8	9
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		46	48
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			23
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)			11
💼 FedRAMP Low Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			23
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		26
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	1		11
💼 FedRAMP Moderate Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		17
💼 FedRAMP Moderate Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)			9
💼 ISO/IEC 27001:2013 → 💼 A.12.4.1 Event logging		16	18
💼 ISO/IEC 27001:2013 → 💼 A.12.4.3 Administrator and operator logs		8	9
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		14	15
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		19	20
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		19	22
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		19	22
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	28
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events		21	24
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		19	23
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		30	33
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		16	19
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		17	20
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		19	22
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria		20	23
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			26
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			26
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			22
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			83
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			59
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			27
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			89
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			24
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition			26
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging			23
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			30
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			22
💼 NIST SP 800-53 Revision 4 → 💼 AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING	10	2	2
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		15	16
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	45	47
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	15	21
💼 PCI DSS v3.2.1 → 💼 10.1 Implement audit trails to link all access to system components to each individual user.		4	4
💼 PCI DSS v3.2.1 → 💼 10.2.1 All individual user accesses to cardholder data.		4	4
💼 PCI DSS v3.2.1 → 💼 10.2.4 Invalid logical access attempts.		4	4
💼 PCI DSS v4.0.1 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.			4
💼 PCI DSS v4.0.1 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.			4
💼 PCI DSS v4.0 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.			4
💼 PCI DSS v4.0 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.			4