Control: Resource logs in Key Vault should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.keyvault_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.keyvault_logging_enabled --shareSQL
This control uses a named query:
with key_vaults as ( select * from terraform_resource where type = 'azurerm_key_vault'), diagnostic_setting as ( select * from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and (attributes_std ->> 'target_resource_id') like '%azurerm_key_vault.%'), key_vaults_logging as ( select kv.name as kv_name, ds.attributes_std from key_vaults as kv left join diagnostic_setting as ds on kv.name = (split_part((ds.attributes_std ->> 'target_resource_id'), '.', 2)) where (ds.attributes_std ->> 'storage_account_id') is not null and (ds.attributes_std -> 'log' ->> 'category')::text = 'AuditEvent' and (ds.attributes_std -> 'log' ->> 'enabled')::boolean and (ds.attributes_std -> 'log' -> 'retention_policy' ->> 'enabled')::boolean)select type || ' ' || a.name as resource, case when s.kv_name is null then 'alarm' else 'ok' end as status, split_part(a.address, '.', 2) || case when s.kv_name is null then ' logging disabled' else ' logging enabled' end || '.' reason , a.path || ':' || a.start_linefrom key_vaults as a left join key_vaults_logging as s on a.name = s.kv_name;