Control: Resource logs in Key Vault should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_logging_enabled --shareSQL
This control uses a named query:
with logging_details as ( select name as key_vault_name from azure_key_vault, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and setting -> 'properties' ->> 'storageAccountId' <> '' and (log ->> 'enabled') :: boolean and log ->> 'category' = 'AuditEvent' and (log -> 'retentionPolicy') :: JSONB ? 'days')select v.id as resource, case when v.diagnostic_settings is null then 'alarm' when l.key_vault_name not like concat('%', v.name, '%') then 'alarm' else 'ok' end as status, case when v.diagnostic_settings is null then v.name || ' logging not enabled.' when l.key_vault_name not like concat('%', v.name, '%') then v.name || ' logging not enabled.' else v.name || ' logging enabled.' end as reason , v.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault v, logging_details l, azure_subscription subwhere sub.subscription_id = v.subscription_id;