Cyscale
Back to controls

Ensure logging for Azure Key Vault is 'Enabled'

Enable `AuditEvent` logging for key vault instances to ensure interactions with key vaults are logged and available.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Rationale

Monitoring how and when key vaults are accessed and by whom enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user-provided destination, either an Azure storage account or a Log Analytics workspace. The same destination can be used to collect logs for multiple Key Vaults.

Default Value

By default, diagnostic AuditEvent logging is not enabled for Key Vault instances.

Remediation guidance

From Azure Console

  1. Go to Key vaults
  2. For each key vault, under Monitoring, select Diagnostic settings
  3. Select Add diagnostic setting to add a new setting or Edit setting to modify an existing one
  4. If you are adding a new setting, provide a name for it
  5. Under Logs, for Categories, check the Audit Logs checkbox
  6. Select an appropriate value for Retention (days) - at least 90 or 0 for infinite
  7. Under Destination details, select a location for your diagnostic setting
  8. Select Save

From Azure CLI

To update an existing Diagnostic Setting

az monitor diagnostic-settings update --name "<diagnosticsSettingName>" -- resource <keyVaultResourceID> --set retentionPolicy.days=90

To create a new Diagnostic Setting

az monitor diagnostic-settings create --name <diagnosticsSettingName> --resource <keyVaultResourceID> --logs "[{category:AuditEvents,enabled:true,retentionpolicy:{enabled:true,days:180}}]" --metrics "[{category:AllMetrics,enabled:true,retentionpolicy:{enabled:true,days:180}}]" <[--event-hub <eventHubID> --event-hubrule <eventHubAuthRuleID> | --storage-account <storageAccountID> |--workspace <logAnalyticsWorkspace ID> | --marketplace-partner-id <fullResourceID>]>

From Azure PowerShell

Create the Log settings object

$logSettings = @()
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent

Create the Metric settings object

$metricSettings = @()
$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics

Create the Diagnostic Settings for each Key Vault

New-AzDiagnosticSetting -Name "<diagnosticSettingName>" -ResourceId <keyVaultResourceID> -Log $logSettings -Metric $metricSettings [-StorageAccountId <storageAccountID> | -EventHubName <eventHubName> -EventHubAuthorizationRuleId <eventHubAuthRuleID> | -WorkSpaceId <lognAalyticsWorkspaceID> |  -MarketPlacePartnerId <fullResourceID>]

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

  • Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
  • Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
  • Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Key Vaults without Diagnostic Settings

Connectors

Microsoft Azure

Covered asset types

KMSVault

Expected check: eq []

{
  kmsVaults(
    where: {
      OR: [
        { loggingEnabled: false }
        {
          diagnosticSettings_SOME: {
            resourceType: "Microsoft.KeyVault/vaults"
            logs_SOME: {
              enabled: false
              categoryGroup_IN: ["audit", "allLogs"]
            }
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon