Azure Keyvault Audit Log

Question

Hi, Is there a way to add custom audit logs for encryption/decryption operations of keys save in key vault?
I am trying to set up a service in which we will use Customer Managed Encryption Keys to encrypt/decrypt data, but with each opeation we want to send a custom header in which it specifies the reason of the operation. AWS has this custom audit log funcitonality like user agent, or reason code and I was worndering if there is a way to do that in azure?

Answer 1

Hi @jaime borjas ,

Thanks for your post! I understand that you are looking for a way to add custom audit logs for encryption/decryption operations of keys saved in Azure Key Vault. As you may have seen, Azure does have audit logs for Azure Key Vault, and they include both encryption and decryption. The properties field varies based on the operation (operationName), but usually includes the user agent. The documented operations include creating, modifying, or deleting keys or secrets, as well as signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets.

The current functionality is documented in the Key Vault audit log articles and includes all of the properties that can be queried:

Enable Key Vault Logging

Azure Key Vault logging

If you want to see details related to failed requests, you can write custom queries to group the requests by certain categories such as http code, as documented in Tobias Zimmergran's blog. I'm not familiar with how the reason code works in AWS, but we may also have an equivalent.

If you are looking for something more specific though, I'm happy to take your feedback to the product team both to share your use case and see which current options are available.

Thank you,

Marilee

-

If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.