Skip to main content

πŸ›‘οΈ Azure Diagnostic Setting for Azure Key Vault is not enabled🟒

  • Contextual name: πŸ›‘οΈ Diagnostic Setting for Azure Key Vault is not enabled🟒
  • ID: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Stats​

not available

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b2ce0ca11

Description​

Open File

Description​

Enable AuditEvent logging for Key Vault instances to ensure interactions with Key Vault are logged and available.

Rationale​

Monitoring how and when Key Vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user-provided destination of either an Azure Storage account or a Log Analytics workspace. The same destination can be used for collecting logs for multiple Key Vaults.

Audit​

From Azure Portal​
  1. Go to Key vaults.
  2. For each Key vault, under Monitoring, go to Diagnostic settings.
  3. Click Edit setting next to a diagnostic setting.
  4. Ensure that a destination is configured.
  5. Under Category groups, ensure that audit and allLogs are checked.
From Azure CLI​

List all key vaults:

az keyvault list

For each Key Vault id:

az monitor diagnostic-settings list --resource {{key-vault-id}}

Ensure that storageAccountId reflects your desired destination and that categoryGroup and enabled are set as follows in the sample outputs below:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Key vaults.
  2. Select a Key vault.
  3. Select Diagnostic settings.
  4. Click Edit setting to update an existing diagnostic setting, or Add diagnostic setting to create a new one.
  5. If creating a new diagnostic setting, provide a name.
  6. Configure an appropriate destination.
  7. Under Category groups, check audit and allLogs.
  8. Click Save.

From Azure CLI​

To update an existing Diagnostic Settings:

az monitor diagnostic-settings update \
    --name {{diagnostic-setting-name}} \
    --resource {{key-vault-id}}

To create a new Diagnostic Settings:

az monitor diagnostic-settings create \
    --name {{diagnostic-setting-name}} \
    --resource {{key-vault-id}} \
    --logs "[{category:audit,enabled:true},{category:allLogs,enabled:true}]" \
    --metrics "[{category:AllMetrics,enabled:true}]" \
    --event-hub {{event-hub-id}} \
    --event-hub-rule {{event-hub-auth-rule-id}} \
    --storage-account {{storage-account-id}} \
    --workspace {{log-analytics-workspace-id}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. audit logging and monitoring of access to information assets by all users;89no data
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled'11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled' - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)1no data
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 7.1.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)1no data
πŸ’Ό CIS Azure v5.0.0 β†’ πŸ’Ό 6.1.1.4 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)1no data
πŸ’Ό CIS Azure v6.0.0 β†’ πŸ’Ό 6.1.1.4 Ensure that Logging for Azure Key Vault is 'Enabled' (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration79no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)832no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62142no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3912no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1718no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)274no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)441no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)88no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4957no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)11no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)74no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)32no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)15no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)242no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)111no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)74no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)224no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)8no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1618no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.3 Administrator and operator logs88no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1622no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging2035no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1924no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1938no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1963no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2126no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1924no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1619no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1733no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1924no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2022no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources66no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events105no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events182no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated25no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING1022no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1725no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3(1) Content of Audit Records _ Additional Audit Information1515no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44874no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81741no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.1 Implement audit trails to link all access to system components to each individual user.47no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.1 All individual user accesses to cardholder data.414no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.4 Invalid logical access attempts.414no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.114no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.114no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1636no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811no data