Azure Key Vault Logging: 7 Best Practices

published on 27 September 2024

Want to keep your Azure Key Vault secure? Start with logging. Here's what you need to know:

  1. Turn on full logging
  2. Store logs correctly
  3. Watch logs in real-time
  4. Check logs often
  5. Limit who can access logs
  6. Keep logs safe when sending
  7. Do regular log reviews

Key takeaways:

  • Logging is like a security camera for your digital vault
  • It helps spot unusual behavior and keeps you compliant
  • Azure Key Vault logging captures all authenticated REST API requests

Here's a quick comparison of logging methods:

Method Ease of Use Detail Level Real-time Monitoring
Azure CLI Easy High No
PowerShell Moderate High No
Azure Portal Very Easy Medium Yes
Azure Monitor Moderate Very High Yes

Remember: What you don't know about your Key Vault can hurt you. Log it, watch it, stay safe.

Turn on Full Logging

First up: enable full logging for your Azure Key Vault. It's like activating all your security cameras - you want to catch everything.

Here's the process:

  1. Find your Key Vault's resource ID
  2. Choose a log destination (Azure Storage or Log Analytics)
  3. Enable logging via Azure CLI, PowerShell, or Azure portal

Let's break it down:

Azure CLI:

az monitor diagnostic-settings create --resource <your-key-vault-resource-id> --storage-account <your-storage-account-id> --logs "[{category:AuditEvent,enabled:true}]"

This command starts logging all audit events for your Key Vault.

PowerShell:

Set-AzDiagnosticSetting -ResourceId <your-key-vault-resource-id> -StorageAccountId <your-storage-account-id> -Enabled $true -Category AuditEvent -RetentionEnabled $true -RetentionInDays 365

This script enables logging and sets a one-year retention policy.

Pro tip: Want to keep logs forever? Set retention to 0 days. But remember: more logs = higher storage costs.

After enabling logging, Azure creates an insights-logs-auditevent container in your storage account for Key Vault logs.

"To monitor access to your secrets and their lifecycle, turn on Key Vault logging", says Microsoft's official docs.

Logging captures all authenticated REST API requests, including:

  • Vault creation/deletion
  • Access policy changes
  • Key and secret operations
  • Failed requests (crucial for spotting potential breaches)

2. Store Logs Correctly

Storing Azure Key Vault logs properly is key for monitoring and security. Here's how:

1. Pick the right storage account

Your storage account must be in the same subscription as your Key Vault. This keeps things running smoothly.

2. Set up logging with PowerShell

Use this PowerShell command to enable logging:

Set-AzDiagnosticSetting -ResourceId $keyvault.ResourceId -storageAccountId $storageaccount.Id -Enabled $true -Category AuditEvent -RetentionEnabled $true -RetentionInDays 365

This turns on audit event logging with a 365-day retention policy.

3. Set your retention policy

Stick to 365 days for standard compliance. Need to keep logs forever? Set retention days to 0.

4. Find your logs

Azure creates an insights-logs-auditevent container in your storage account. Your Key Vault logs are there as JSON text blobs.

5. Lock down your logs

Use Azure's access controls to limit who can see your storage account. It's an extra security layer for your sensitive log data.

Log Field What It Means
time When it happened (UTC)
resourceId Which Key Vault
operationName What was done
resultType How the API request went
callerIpAddress Who did it

You can usually access logs about 10 minutes after a Key Vault operation. Sometimes even faster.

3. Watch Logs in Real-time

Real-time log monitoring is crucial for quick issue detection in Azure Key Vault. Here's how:

1. Use Azure Monitor

Azure Monitor is your key tool for real-time log watching. It shows your Key Vault's health, performance, and security at a glance.

To set it up:

  • Open Azure portal
  • Click "Monitor" in the left sidebar
  • Select "Key Vaults" under "Insights"

You'll see a dashboard with key metrics for all your vaults.

2. Set Up Custom Alerts

Don't want to watch dashboards 24/7? Set up alerts:

  • In Azure Monitor, click "Alerts"
  • Create a new rule
  • Choose your Key Vault
  • Set conditions (e.g., failed requests > 10 in 5 minutes)
  • Pick your notification method
Alert Type Use Case
Static Fixed threshold (e.g., > 100 requests/minute)
Dynamic Unusual behavior based on past data

3. Enable Diagnostic Settings

For deeper log insights:

  • Open your Key Vault in Azure portal
  • Click "Diagnostic settings"
  • Create a new setting
  • Send logs to Log Analytics workspace

This allows you to query logs using Kusto Query Language (KQL).

4. Use Key Vault Insights

Key Vault Insights in Azure Monitor gives you a unified view of your vault's performance:

  • Go to Azure Monitor
  • Click "Insights" > "Key Vaults"
  • Pick your subscription and time range

You'll see interactive charts for requests, latency, and failures across all vaults.

4. Check Logs Often

Keeping tabs on your Azure Key Vault logs is crucial. Here's why and how:

Why it matters:

  • Spot weird activities
  • Catch potential security risks
  • Stay in line with your company's rules

How to do it right:

1. Use Azure Monitor

Azure Monitor is your best friend for log analysis. It gathers data from every corner of your system.

Here's how:

  • Open Azure portal
  • Go to "Monitor"
  • Click "Logs"
  • Run queries to dig into your Key Vault data

2. Make it a habit

Don't just check logs when you feel like it. Set a schedule and stick to it.

3. Know what to look for

Focus on these key events:

Event Type Red Flags
Access attempts Weird logins or failures
Secret operations New secrets, changes, or deletions
Key operations Unusual usage, unexpected tweaks
Certificate events Expiring certs, renewal hiccups

4. Turn on data plane auditing

This captures ALL the juicy details. But heads up: it's not on by default.

5. Leverage Azure Log Analytics

For the nitty-gritty:

  • Set up diagnostics flow
  • Get raw data from all activities
  • Run complex queries to zoom in on specific events

Regular log checks aren't just about playing defense. They help you understand your Key Vault's usage, spot issues early, and keep things running smoothly.

sbb-itb-29cd4f6

5. Limit Who Can Access Logs

Securing your Azure Key Vault logs is crucial. Here's how to lock it down:

1. Use Azure RBAC

Azure Role-Based Access Control is your go-to for managing log access. It lets you control who sees logs and set permissions at different levels.

2. Create custom roles

Don't stick to built-in roles. Make your own:

Role Name Permissions
Log Viewer Read-only access
Log Analyst Read and analyze
Log Manager Full control

3. Implement Just-in-Time access

Use Azure AD Privileged Identity Management to grant temporary access, require approval, and enforce multi-factor authentication.

4. Audit access regularly

Keep an eye on who's accessing your logs. Review monthly, look for odd patterns, and revoke unnecessary permissions.

5. Separate duties

Don't give one person all the power. Split log management tasks and assign different roles to team members.

6. Keep Logs Safe When Sending

Sending logs isn't just a copy-paste job. You need to lock them down. Here's how to keep your Azure Key Vault logs secure during transit:

1. Use HTTPS

Always use HTTPS for sending logs. Azure Storage REST API calls MUST be over HTTPS when secure transfer is required. It's on by default for new storage accounts.

2. Encrypt with Customer-Managed Keys (CMK)

Don't rely on Microsoft-managed keys. Use your own:

Step Action
1 Create a user-assigned identity
2 Grant it access to your Azure Key Vault
3 Configure storage to use CMK

This puts you in control of key access.

3. Set Up TLS 1.3

Use at least TLS 1.3 for your agent. It's the most secure version. But don't lock it down too tight:

"It's better not to force your agent to only use TLS 1.3 unless you have to. Let the agent automatically detect and use future security standards."

4. Choose Secure Destinations

When enabling logging, pick safe spots:

  • Azure storage account
  • Log Analytics workspace

5. Set Up Alerts

Keep tabs on your logs:

"Set up alerts for 'All Administrative operations' on your vaults. This way, you'll know about any changes."

This helps you spot if someone's messing with your logs.

7. Do Regular Log Reviews

Log reviews are your window into Azure Key Vault activity. Here's how to make them effective:

1. Set a Schedule

Don't wait for problems. Stick to a routine:

Frequency Focus
Daily Unusual access, failed attempts
Weekly New users, permission changes
Monthly Usage trends, policy compliance

2. Use Azure Log Analytics

Dig deeper with queries like:

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultGet" or OperationName == "VaultPut"
| summarize count() by OperationName, ResultType

This shows who's accessing your vault and if they succeed.

3. Check Both Planes

Monitor management plane (vault settings changes) and data plane (secret access) logs.

4. Automate Alerts

Set up alerts for critical events. Microsoft recommends:

"Set up alerts for 'All Administrative operations' on your vaults. This way, you'll know about any changes."

5. Act on Findings

Make your reviews count:

Finding Action
Odd access times Update access policies if needed
Failed logins Check for brute force attempts
Secret retrieval spikes Review and optimize app behavior

Conclusion

Azure Key Vault is crucial for cloud security. But without logging, you're flying blind.

Here's the deal:

Logging is your security camera. It records everything happening in your vault - who's looking at secrets, who's changing access.

But it's not a set-it-and-forget-it thing. You need to:

  • Keep an eye on those logs
  • Set up alerts for suspicious activity
  • Check them regularly

Good logging does more than catch bad actors. It helps you:

  • Find inefficiencies in how your apps use secrets
  • Stay compliant
  • Understand usage patterns

It's a team effort. Security, dev, and ops all play a part. Share what you learn and keep improving.

Yes, setting up logging takes time. But it's way cheaper than dealing with a breach.

Bottom line: With Azure Key Vault, what you don't know can bite you. So log it, watch it, and stay safe.

FAQs

How to audit Azure Key Vault?

Azure Key Vault

Here's how to audit Azure Key Vault:

1. Turn on logging

Use this PowerShell script:

$kv = Get-AzKeyVault -VaultName "<your key vault name>"
$sa = New-AzStorageAccount -ResourceGroupName $kv.ResourceGroupName -Name ('keyvaultlogs4' + $kv.VaultName) -Type Standard_LRS -Location $kv.Location
Set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent

2. Wait 20 minutes for logs to show up in your storage account.

3. Find logs in the insights-logs-auditevent container.

4. Get and check logs using Azure CLI:

az storage blob list

Then download and review.

How do I monitor key vault in Azure?

To monitor Azure Key Vault:

  1. Go to Azure Portal
  2. Click "Monitor" (left menu)
  3. Pick "Key Vaults" under Insights

You'll see an Overview workbook with:

Metric What it means
Total requests API calls to your vault
Average latency Response speed
Success ratio % of successful requests

Blue values in API hits columns? Pay attention.

Pro tip: Set alerts for weird activity, like logins from non-Azure IPs.

Management plane activities? Check 'AzureActivity' table. Data plane stuff? Look in 'AzureDiagnostics'.

Related posts

Read more