AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Resource logs in Azure Key Vault Managed HSM should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Resource logs in Azure Key Vault Managed HSM should be enabled
Id a2a5b911-5617-447e-a49e-59dbe0e0434b
Version 1.1.0
Details on versioning
Category Key Vault
Microsoft Learn
Description To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (5)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Insights/diagnosticSettings/logs.enabled microsoft.insights diagnosticSettings properties.logs[*].enabled True False
Microsoft.Insights/diagnosticSettings/logs[*] microsoft.insights diagnosticSettings properties.logs[*] True False
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days microsoft.insights diagnosticSettings properties.logs[*].retentionPolicy.days True False
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled microsoft.insights diagnosticSettings properties.logs[*].retentionPolicy.enabled True False
Microsoft.Insights/diagnosticSettings/storageAccountId microsoft.insights diagnosticSettings properties.storageAccountId True False
Rule resource types IF (1)
Microsoft.KeyVault/managedHsms
Compliance
The following 4 compliance controls are associated with this Policy definition 'Resource logs in Azure Key Vault Managed HSM should be enabled' (a2a5b911-5617-447e-a49e-59dbe0e0434b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 5.1.7 CIS_Azure_1.1.0_5.1.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link 6
hipaa 1211.09aa3System.4-09.aa hipaa-1211.09aa3System.4-09.aa 1211.09aa3System.4-09.aa 12 Audit Logging & Monitoring 1211.09aa3System.4-09.aa 09.10 Monitoring Shared n/a The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required. 9
op.exp.7 Incident management op.exp.7 Incident management 404 not found n/a n/a 103
RMiT_v1.0 10.66 RMiT_v1.0_10.66 RMiT 10.66 Security of Digital Services Security of Digital Services - 10.66 Shared n/a A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures link 32
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-09-01 18:00:13 change Minor (1.0.0 > 1.1.0)
2021-02-17 14:28:42 add a2a5b911-5617-447e-a49e-59dbe0e0434b
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC