Cyscale
Back to controls

Ensure logging for Azure Key Vault is 'Enabled'

Enable `AuditEvent` logging for key vault instances to ensure interactions with key vaults are logged and available.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Rationale

Monitoring how and when key vaults are accessed and by whom enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user-provided destination, either an Azure storage account or a Log Analytics workspace. The same destination can be used to collect logs for multiple Key Vaults.

Default Value

By default, diagnostic AuditEvent logging is not enabled for Key Vault instances.

Remediation guidance

Azure Remediation

Service-wide fix (recommended): send Key Vault resource logs to a central Log Analytics workspace or SIEM and use category groups or audit logs consistently across all vaults.

Azure portal

  1. Open the Key Vault.
  2. Go to Diagnostic settings under Monitoring.
  3. Create a new diagnostic setting or edit the existing one.
  4. Enable the audit log data you need. For most teams, the Audit category group or the Key Vault audit log category is the right baseline.
  5. Route logs to Log Analytics, Storage, Event Hubs, or another approved destination.
  6. Save the setting and confirm logs start arriving.

Azure CLI

Create a diagnostic setting that sends Key Vault logs to Log Analytics:

az monitor diagnostic-settings create --name <setting-name> --resource <key-vault-resource-id> --workspace <log-analytics-workspace-id> --logs '[{"categoryGroup":"audit","enabled":true}]' --metrics '[{"category":"AllMetrics","enabled":true}]'

List the diagnostic settings for the vault:

az monitor diagnostic-settings list --resource <key-vault-resource-id>

Operational notes

  • Diagnostic settings are per-resource. One good Key Vault setting does not cover the others.
  • If the destination storage account or Event Hubs namespace has network restrictions, Azure Monitor needs the trusted-services bypass path or another supported access path.
  • Logging is useful only if retention, alerting, and review workflows are also defined.

References

  • https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging
  • https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault
  • https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings

Query logic

These are the stored checks tied to this control.

Key Vaults without Diagnostic Settings

Connectors

Microsoft Azure

Covered asset types

KMSVault

Expected check: eq []

{
  kmsVaults(
    where: {
      OR: [
        { loggingEnabled: false }
        {
          diagnosticSettings_SOME: {
            resourceType: "Microsoft.KeyVault/vaults"
            logs_SOME: {
              enabled: false
              categoryGroup_IN: ["audit", "allLogs"]
            }
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon