Verify that logging for Azure Key Vault is 'Enabled'
Why this matters:
Enabling logging for Azure Key Vault ensures that all access and operations on keys, secrets, and certificates are traceable. This is critical for forensic investigations, compliance audits, and detecting unauthorized or suspicious activity involving sensitive assets.
What this check does:
This check verifies whether logging is enabled for each Azure Key Vault instance by ensuring the diagnostic settings include the following:
categoryGroup: audit
withenabled: true
categoryGroup: allLogs
withenabled: true
A valid destination is configured (e.g. Storage Account, Log Analytics Workspace, or Event Hub)
How this check is executed:
Azure Portal:
- Navigate to Key vaults.
- For each vault, under Monitoring, open Diagnostic settings.
- Ensure a diagnostic setting exists.
- Verify that Audit and AllLogs category groups are selected and routed to a valid destination.
Azure CLI:
Confirm output includes:
PowerShell:
Verify output contains valid StorageAccountId
, WorkspaceId
, or EventHubName
, and both category groups enabled.
How to fix it:
Azure Portal:
- Go to Key vaults > select a vault
- Under Monitoring, click Diagnostic settings
- Click Add diagnostic setting or Edit setting
- Name the setting
- Select a destination (e.g., Storage, Log Analytics)
- Under Category groups, check both audit and allLogs
- Save the configuration
Azure CLI:
az keyvault list
az monitor diagnostic-settings list --resource <key_vault_id>
Confirm categoryGroup
contains both audit
and allLogs
with enabled: true
.
PowerShell:
Verify that both audit
and allLogs
category groups are present and enabled, and at least one destination is defined.
Get-AzKeyVault
Get-AzDiagnosticSetting -ResourceId <key_vault_id>
Exceptions:
None specified.
Further resources: