53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
id: azure-keyvault-audit-not-enabled
|
|
info:
|
|
name: Enable AuditEvent Logging for Azure Key Vaults
|
|
author: princechaddha
|
|
severity: medium
|
|
description: |
|
|
Ensure that AuditEvent logging is enabled for all Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).
|
|
impact: |
|
|
Lack of AuditEvent logging can hinder incident detection and increase the risk of unauthorized access without traceability.
|
|
remediation: |
|
|
Enable the AuditEvent logging for Azure Key Vaults to ensure all access and operations are logged, enhancing security and compliance.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security
|
|
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let VaultData of iterate(template.vaultNames)) {
|
|
set("vaultName", VaultData);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az keyvault list --query '[*].id' --output json
|
|
|
|
extractors:
|
|
- type: json
|
|
name: vaultNames
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az monitor diagnostic-settings list --resource $vaultName --query '[*].logs | []' --output json
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '[]'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'vaultName + " does not have AuditEvent logging enabled"'
|
|
# digest: 4a0a004730450220353e61abb4a325f55307255d1fabedd37b262e69ab8317e43de9ca86a59cc0c2022100fb9605ad1afd2c675b82d9cd343aff03431bde074e179cc90dfbc5c997c75135:922c64590222798bb761d5b6d8e72950 |