Audit Key Vault Data Access
March 21, 2025 ยท View on GitHub
SYNOPSIS
Ensure audit diagnostics logs are enabled to audit Key Vault access.
DESCRIPTION
To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.
When configuring diagnostics settings, enable one of the following:
AuditEventcategory.auditcategory group.allLogscategory group.
Management operations for Key Vault is captured automatically within Azure Activity Logs.
RECOMMENDATION
Configure audit diagnostics logs to audit Key Vault access.
EXAMPLES
Configure with Azure template
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEventcategory orauditcategory group orallLogscategory group.
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
"name": "logs",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "AuditEvent",
"enabled": true
}
]
},
"dependsOn": [
"[parameters('name')]"
]
}
]
}
Configure with Bicep
To deploy key vaults that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
AuditEventcategory orauditcategory group orallLogscategory group.
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'logs'
scope: vault
properties: {
workspaceId: workspaceId
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
}