iCompaas Support

Description:

Azure Key Vault stores sensitive secrets, keys, and certificates used by applications and services. Logging must be enabled to capture all access and operations against the vault so that security teams can review activities such as who accessed the vault, what operations were performed, and when they occurred. Enabling AuditEvent logging ensures complete visibility for auditing, compliance, and incident investigation.

Rationale:

AuditEvent logging helps monitor sensitive access to keys and secrets, identify unauthorized actions, support forensic investigations, and meet compliance requirements. Without logging, there is no reliable record of Key Vault activity, which significantly increases security risk and reduces visibility during investigations or breach scenarios. Lack of logging results in a NON-COMPLIANT state.

Impact:

Enabling Key Vault logging improves security visibility but increases operational overhead due to storage costs for logs, management of retention policies, permissions required for diagnostic settings, potential ingestion delays, and risks associated with log misconfiguration.

Default Value:

By default, Azure Key Vault does not have diagnostic logging enabled. No AuditEvent logs are collected unless explicitly configured.

Pre-requisites:

• A Storage Account, Log Analytics Workspace, or Event Hub must be available to receive the Key Vault AuditEvent logs.

• Azure CLI or PowerShell should be installed if performing CLI-based or script-based verification/remediation.

• Network and access policies must allow the Key Vault to send diagnostic logs to the selected destination.

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for “Key vaults,” and select the Key Vault

3. Under the monitoring section, open Diagnostic settings

4. Verify that a diagnostic setting exists with AuditEvent enabled and logs are sent to Storage Account, Log Analytics, or Event Hub
   

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for “Key vaults” and select the required Key Vault.

3. Under the monitoring section, click Diagnostic settings

4. Click Add diagnostic setting 

5. Enable AuditEvent under log categories

6. Select a destination such as a Storage Account, a Log Analytics Workspace, or an Event Hub

7. Save the configuration

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for Key vaults and select the Key Vault

3. Under the Monitoring section, open Diagnostic settings

4. Select the configured diagnostic setting

5. Click Delete

6. Confirm the deletion

References:

• https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-portal