We are using Azure Key Vault to keep our application password. All usernames and passwords are stored in the Secret at Key Vault. How can I audit who had checked in to the Secret to retrieve the password?
2
votes
Hi, how's going? Has your issue been solved?
– Stanley Gong
Yes issue solved. I create a workspace and turn on audit logs for Key vault. use this command to check who access the secret key: | where Category == "AuditEvent" and OperationName == "SecretGet"
– lonlee
Glad to know it works for you .So could you pls click on the check mark beside the answer to toggle it from greyed out to filled in to mark this answer so that it will help others who has similar issues and it will be an award for me : ) have a nice day !
– Stanley Gong
1 Answers
0
votes
Use this powershell command to enable audit logs for Azure key vault , so that you can get logs you need :
$kv = Get-AzKeyVault -VaultName "<your key vault name>"
$sa = New-AzStorageAccount -ResourceGroupName $kv.ResourceGroupName -Name ('keyvaultlogs4' + $kv.VaultName) -Type Standard_LRS -Location $kv.Location
Set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent
Audit logs will be written into your storage container named insights-logs-auditevent as a blob, you can read audit logs from it directly:
Pls note that after you run this command, it will take about 20 mins to get started to write logs to your storage account.
Logs look like below :
For details see this official doc.
