Description:
Azure Key Vault is a cloud service for securely storing and managing sensitive information, such as secrets, keys, and certificates. Enabling logging for Azure Key Vault allows you to monitor and record all access and management operations related to your vaults. This includes read and write operations, access attempts, and administrative actions. Capturing logs for Azure Key Vault helps maintain a secure and auditable environment by providing visibility into the usage and access of sensitive data stored within the vault.
The logs from Azure Key Vault can be sent to Azure Monitor, Log Analytics, or Storage Accounts for analysis, querying, and monitoring, helping organizations meet security compliance requirements and track unauthorized access attempts.
Rationale:
By enabling logging for Azure Key Vault, you can:
Monitor who is accessing your vault and which operations are being performed.
Detect unauthorized or unexpected activities such as failed access attempts, changes to access policies, or deletion of secrets.
Audit all interactions with your sensitive information to comply with security policies, industry regulations, or organizational standards.
Integrate with other monitoring solutions like Azure Security Center for enhanced security insights.
Impact:
Enabling Azure Key Vault logging increases visibility into access patterns, allowing you to quickly identify security issues, unauthorized access attempts, or misconfigurations. However, this will result in additional logging data, which could increase storage costs depending on the volume of logs and the retention policies applied. Configuring log retention properly will help balance the performance and cost of log storage.
Default Value:
By default, logging for Azure Key Vault is disabled. You must manually enable logging and specify the destination for the logs (e.g., Log Analytics, Event Hub, or Storage Account).
Pre-requisites:
Azure subscription with Key Vault configured.
Owner or Contributor role permissions to configure diagnostic settings for Key Vault.
Log Analytics workspace, Storage Account, or Event Hub configured as destinations for the logs.
Audit:
Sign in to Azure portal as an Owner or Contributor.
Navigate to Azure Key Vault and review the diagnostic settings to ensure logging is enabled.
Verify that Azure Key Vault logs are being captured and sent to the appropriate destination.
Implementation Steps (Automated):
Sign in to Azure portal:
Use an account with Owner or Contributor permissions.
Navigate to Azure Key Vault:
In the Azure portal, search for Key Vaults and select the Key Vault instance for which you want to enable logging.
Go to Diagnostic Settings:
In the Key Vault pane, under Monitoring, select Diagnostic settings.
Click on + Add diagnostic setting to configure the logs.
Enable Logging:
In the Add diagnostic setting pane, select the log categories to enable. For Key Vault, you can enable the following categories:
AuditLogs: Logs access to the vault, including any read/write operations.
ServiceRequestLogs: Captures the operations and requests made to the Key Vault.
Key, Secret, and Certificate Operations: Logs specific actions such as creation, deletion, or modification of keys, secrets, and certificates.
Make sure AuditLogs and any other relevant categories are selected.
Choose a Destination:
Select where the logs will be sent:
Log Analytics workspace: For querying and monitoring logs using Azure Monitor.
Storage Account: For storing logs long-term or for access by external tools.
Event Hub: For forwarding logs to an external system or SIEM.
Configure the Destination:
If Log Analytics workspace is selected, choose the appropriate workspace where the logs will be sent.
If Storage Account is selected, choose the Storage Account for long-term retention.
If Event Hub is selected, specify the Event Hub namespace and Event Hub to forward the logs.
Set Retention Policy:
Specify the log retention period based on your organizational requirements. Logs can be retained for up to 2 years in Log Analytics or Storage Accounts.
Review and Create:
Review the settings, and ensure that the correct log categories and destinations are selected.
Click Save to enable logging and start sending the logs to the selected destination.
Verify Log Capture:
After enabling logging, trigger some actions on the Azure Key Vault (e.g., read a secret or change access policies).
Go to the Log Analytics workspace (or Storage Account or Event Hub) and verify that Azure Key Vault logs are being captured.
Set Up Alerts (Optional):
You can set up alerts in Azure Monitor based on the logs to get notified when certain activities (e.g., unauthorized access attempts, changes to secrets) occur.In Azure Monitor, go to Alerts and create a new alert rule based on the Key Vault Audit Logs.
Monitor Logs and Review:
Regularly monitor the Key Vault logs in Log Analytics or other configured destinations.
Use dashboards to visualize and analyze the logs, or set up automated queries for real-time monitoring.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Owner or Contributor permissions.
Navigate to Azure Key Vault:
Go to Azure Key Vault in the Azure portal.
Disable Logging:
In Diagnostic settings, locate the diagnostic setting you created for Azure Key Vault logs.
Either delete the diagnostic setting or disable logging for the selected categories.
Verify Log Capture Stopped:
After disabling or deleting the diagnostic setting, check your Log Analytics workspace or Storage Account to ensure that logs are no longer being captured.
Test the Reverted Configuration:
Perform an action (e.g., access a secret) and verify that no logs are being generated or sent to the destination.