Control: Resource logs in Key Vault should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_logging_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_logging_enabled --share
SQL
This control uses a named query:
with audit_logging_details as ( select id from azure_key_vault, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and log -> 'categoryGroup' = '"audit"' and (log -> 'enabled')::bool = true),alllogs_logging_details as ( select id from azure_key_vault, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and log -> 'categoryGroup' = '"allLogs"' and (log -> 'enabled')::bool = true)select v.id as resource, case when v.diagnostic_settings is null then 'alarm' when audit.id is not null and alllogs.id is not null then 'ok' else 'alarm' end as status, case when v.diagnostic_settings is null then v.name || ' logging not enabled.' when audit.id is not null and alllogs.id is not null then v.name || ' logging enabled.' when audit.id is null then v.name || ' logging not enabled for audit category group.' when alllogs.id is null then v.name || ' logging not enabled for allLogs category group.' else v.name || ' logging not enabled.' end as reason , v.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault v left join audit_logging_details as audit on audit.id = v.id left join alllogs_logging_details as alllogs on alllogs.id = v.id, azure_subscription sub