Ensure that AuditEvent logging is enabled for all Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).
PoC代码[已公开]
id: azure-keyvault-audit-not-enabled
info:
name: Enable AuditEvent Logging for Azure Key Vaults
author: princechaddha
severity: medium
description: |
Ensure that AuditEvent logging is enabled for all Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).
impact: |
Lack of AuditEvent logging can hinder incident detection and increase the risk of unauthorized access without traceability.
remediation: |
Enable the AuditEvent logging for Azure Key Vaults to ensure all access and operations are logged, enhancing security and compliance.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultData of iterate(template.vaultNames)) {
set("vaultName", VaultData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].id' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings list --resource $vaultName --query '[*].logs | []' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'vaultName + " does not have AuditEvent logging enabled"'
# digest: 4b0a004830460221009ecb30a2408bfae3b16546bb9708027fc19de0320e4f57a838196cf5ec402e99022100d9b74974d2cd79d4af69c36db8f9b6e8990860c09f4a249ee337ced5e7c1696c:922c64590222798bb761d5b6d8e72950