--- title: Vault auditing disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Vault auditing disabled --- # Vault auditing disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `38c71c00-c177-4cd7-8d36-cd1007cdb190` **Cloud Provider:** Azure **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://www.terraform.io/docs/providers/azurerm/r/key_vault.html) ### Description{% #description %} Enabling logging for Azure Key Vault ensures that all access and management activities are captured and can be monitored for unauthorized or anomalous activity. Without logging enabled—such as omitting a `azurerm_monitor_diagnostic_setting` resource—critical security events and access records would not be recorded, making it difficult to detect potential breaches or comply with audit requirements. A secure configuration includes adding a diagnostic setting. For example: ``` resource "azurerm_monitor_diagnostic_setting" "example" { name = "example" target_resource_id = azurerm_key_vault.example.id storage_account_id = azurerm_storage_account.example.id log { category = "AuditEvent" enabled = true } } ``` This logs Key Vault events and helps ensure accountability and traceability for sensitive key and secret operations. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform provider "azurerm" { features { key_vault { purge_soft_delete_on_destroy = true } } } data "azurerm_client_config" "current" {} resource "azurerm_resource_group" "example" { name = "resourceGroup1" location = "West US" } resource "azurerm_monitor_diagnostic_setting" "example" { name = "example" target_resource_id = data.azurerm_key_vault.example.id storage_account_id = data.azurerm_storage_account.example.id log { category = "AuditEvent" enabled = false retention_policy { enabled = false } } metric { category = "AllMetrics" retention_policy { enabled = false } } } resource "azurerm_key_vault" "example" { name = "testvault" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name enabled_for_disk_encryption = true tenant_id = data.azurerm_client_config.current.tenant_id soft_delete_enabled = true soft_delete_retention_days = 7 purge_protection_enabled = false sku_name = "standard" access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "get", ] secret_permissions = [ "get", ] storage_permissions = [ "get", ] } network_acls { default_action = "Deny" bypass = "AzureServices" } tags = { environment = "Testing" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform provider "azurerm" { features { key_vault { purge_soft_delete_on_destroy = true } } } data "azurerm_client_config" "current" {} resource "azurerm_resource_group" "example" { name = "resourceGroup1" location = "West US" } resource "azurerm_key_vault" "example1" { name = "testvault" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name enabled_for_disk_encryption = true tenant_id = data.azurerm_client_config.current.tenant_id soft_delete_enabled = true soft_delete_retention_days = 7 purge_protection_enabled = false sku_name = "standard" access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "get", ] secret_permissions = [ "get", ] storage_permissions = [ "get", ] } network_acls { default_action = "Deny" bypass = "AzureServices" } tags = { environment = "Testing" } } ```