Key Vault logging is not enabled Affecting Monitor service in Azure

Snyk CCSS

Logging/ Audit

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AzureHIPAAISO-27001NIST-800-53SOC-2

Snyk IDSNYK-CC-00689
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enable audit logging for key vault instances to ensure interactions with key vaults are logged and available.

How to fix?

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available set properties.logs.category to AuditEvent and properties.logs.enabled to true.

Example configuration:

{
    "type": "Microsoft.Insights/diagnosticSettings",
    "apiVersion": "2021-05-01-preview",
    "name": "diagnostic-a1-689",
    "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault1-689')]",
        "[resourceId('Microsoft.Storage/storageAccounts', 'examplestorage1689')]"
    ],
    "scope": "[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault1-689')]",
    "properties": {
        "logs": [
            {
                "category": "AuditEvent",
                "enabled": "true",
                "retentionPolicy": {
                        "days": "180",
                        "enabled": "true"
                }
            }
        ],
        "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', 'examplestorage1689')]"
    }
}

Set log.category to AuditEvent, and log.enabled to true.

For AzureRM provider < v4.0.0, set log.category to AuditEvent and log.enabled to true. Note the log attribute was deprecated in v3.63.0.
For AzureRM provider >= v4.0.0, set enabled_log.category to AuditEvent or enabled_log.category_group to one of audit or allLogs.

Additionally, if the storage_account_id or log_analytics_workspace_id attribute is present, ensure the log retention policy is valid by taking either of the following actions:

Set log.retention_policy.enabled attribute to false to preserve logs indefinitely.
Set log.retention_policy.enabled attribute to true and set log.retention_policy.days to >= 180, or 0 (to preserve indefinitely).

Example configuration:

# For AzureRM provider < v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
  name               = "exampleallowed"
  target_resource_id = azurerm_key_vault.example.id
  storage_account_id = azurerm_storage_account.example.id
  log {
    category = "AuditEvent"
    enabled  = true
  }
  retention_policy {
    enabled = true
    days = 0
  }
}

# For AzureRM provider >= v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
  name               = "exampleallowed"
  target_resource_id = azurerm_key_vault.example478.id
  storage_account_id = azurerm_storage_account.example478.id

  enabled_log {
    category = "AuditEvent"
  }
  retention_policy {
    enabled = true
    days = 0
  }
}

# For AzureRM provider >= v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
  name               = "example478allowed"
  target_resource_id = azurerm_key_vault.example478.id
  storage_account_id = azurerm_storage_account.example478.id

  enabled_log {
    category_group = "audit"
  }
  retention_policy {
    enabled = true
    days = 0
  }
}

Key Vault logging is not enabled Affecting Monitor service in Azure

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?

ARM

Terraform