Verify that logging for Azure Key Vault is 'Enabled'

Why this matters:
Enabling logging for Azure Key Vault ensures that all access and operations on keys, secrets, and certificates are traceable. This is critical for forensic investigations, compliance audits, and detecting unauthorized or suspicious activity involving sensitive assets.

What this check does:
This check verifies whether logging is enabled for each Azure Key Vault instance by ensuring the diagnostic settings include the following:

• categoryGroup: audit with enabled: true
• categoryGroup: allLogs with enabled: true

A valid destination is configured (e.g. Storage Account, Log Analytics Workspace, or Event Hub)

How this check is executed:

Azure Portal:

• Navigate to Key vaults.
• For each vault, under Monitoring, open Diagnostic settings.
• Ensure a diagnostic setting exists.
• Verify that Audit and AllLogs category groups are selected and routed to a valid destination.

Azure CLI:

Confirm output includes:

PowerShell:

Verify output contains valid StorageAccountId, WorkspaceId, or EventHubName, and both category groups enabled.

How to fix it:

Azure Portal:

1. Go to Key vaults > select a vault
2. Under Monitoring, click Diagnostic settings
3. Click Add diagnostic setting or Edit setting
4. Name the setting
5. Select a destination (e.g., Storage, Log Analytics)
6. Under Category groups, check both audit and allLogs
7. Save the configuration

Azure CLI:

az keyvault list
az monitor diagnostic-settings list --resource <key_vault_id>

Confirm categoryGroup contains both audit and allLogs with enabled: true.

PowerShell:

Verify that both audit and allLogs category groups are present and enabled, and at least one destination is defined.

Get-AzKeyVault Get-AzDiagnosticSetting -ResourceId <key_vault_id>

Exceptions:
None specified.

Further resources:

• How to enable logging in Azure Key Vault
• MCSB – Ensure security of key and certificate repository (DP-8)
• MCSB – Enable logging for security investigation (LT-3)