I am looking at automating the process of enabling audit and audit all on all key vaults, there is a diagnostic setting in place for all the vaults, what’s left to do is enabling audit and allLogs for the vaults. I have checked Azure policies if there is a policy to see if there is a remediation plan in place that can be used to automate the process. I could not find any.
I then started the process of writing the script below.
# Connect to Azure
Connect-AzAccount
# Get all Azure subscriptions
$subscription = Get-AzSubscription -SubscriptionName 'my-sub'
# $subscription = Get-AzSubscription -SubscriptionId $subscriptionId # Use this line if filtering by subscription ID
if ($subscription -eq $null) {
Write-Output "Subscription not found."
exit
}
# Set the current subscription context
Set-AzContext -SubscriptionId $subscription.Id
# Array to hold key vaults without diagnostic settings
$noDiagnosticSettingsKeyVaults = @()
# Array to hold key vaults with updated audit log settings
$updatedAuditLogSettingsKeyVaults = @()
# Get all Key Vaults in the specified subscription
$keyVaults = Get-AzKeyVault -VaultName 'kv-autom-dev-001'
foreach ($keyVault in $keyVaults) {
# Get the diagnostic settings for the current Key Vault
$diagnosticSettings = Get-AzDiagnosticSetting -ResourceId $keyVault.ResourceId
if ($diagnosticSettings.Count -eq 0) {
# If there are no diagnostic settings, add the key vault to the array
$noDiagnosticSettingsKeyVaults += [PSCustomObject]@{
KeyVaultName = $keyVault.VaultName
ResourceGroup = $keyVault.ResourceGroupName
Subscription = $subscription.Name
}
} else {
# If diagnostic settings exist, ensure audit log settings are configured
$logSettings = @()
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category "AuditEvent"
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category "allLogs"
# Configure the diagnostic settings with the new log settings
Set-AzDiagnosticSetting -ResourceId $keyVault.ResourceId -Name $diagnosticSettings.Name -Log $logSettings -Enabled $true
# Add the key vault to the updated audit log settings array
$updatedAuditLogSettingsKeyVaults += [PSCustomObject]@{
KeyVaultName = $keyVault.VaultName
ResourceGroup = $keyVault.ResourceGroupName
Subscription = $subscription.Name
}
}
}
I was getting the error
ARNING: Set-AzDiagnosticSetting is not found. The most similar Azure PowerShell commands are: Get-AzDiagnosticSetting New-AzDiagnosticSetting Set-AzDiagnosticSetting: The term 'Set-AzDiagnosticSetting' is not recognized as a name of a cmdlet, function, script file, or executable program
1
Initially by using the same script I got the same error:
To enable audit
and allLogs
for the key vaults, make use of below PowerShell script:
# Connect to Azure
Connect-AzAccount
# Get the desired Azure subscription
$subscription = Get-AzSubscription -SubscriptionName 'SubName'
if ($subscription -eq $null) {
Write-Output "Subscription not found."
exit
}
# Set the current subscription context
Set-AzContext -SubscriptionId $subscription.Id
# Replace this with your actual workspace ID
$workspaceId = "/subscriptions/xxx/resourcegroups/xxx/providers/microsoft.operationalinsights/workspaces/xxx"
# Create the Log settings object with supported categories
$logSettings = @()
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -CategoryGroup "Audit"
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -CategoryGroup "AllLogs"
# Get all Key Vaults in the specified subscription
$keyVaults = Get-AzKeyVault
# Keep track of updated Key Vaults
$updatedKeyVaults = @()
foreach ($keyVault in $keyVaults) {
# Check existing diagnostic settings for the Key Vault
$existingSettings = Get-AzDiagnosticSetting -ResourceId $keyVault.ResourceId -ErrorAction SilentlyContinue
if ($existingSettings) {
# If diagnostic settings exist, update them
New-AzDiagnosticSetting -Name $existingSettings.Name `
-ResourceId $keyVault.ResourceId `
-Log $logSettings `
-WorkspaceId $workspaceId
$updatedKeyVaults += $keyVault.VaultName
} else {
# If diagnostic settings do not exist, create them
New-AzDiagnosticSetting -Name "DiagnosticSetting" `
-ResourceId $keyVault.ResourceId `
-Log $logSettings `
-WorkspaceId $workspaceId
$updatedKeyVaults += $keyVault.VaultName
}
}
# Output the results with names of updated Key Vaults
if ($updatedKeyVaults.Count -gt 0) {
Write-Output "Diagnostic settings have been applied to the following Key Vaults:"
$updatedKeyVaults | ForEach-Object { Write-Output $_ }
} else {
Write-Output "No Key Vaults were updated."
}
The diagnostic setting added successfully:
For existing diagnostic setting vaults also the Logs will be enabled.
Reference:
Create diagnostic settings in Azure Monitor – Azure Monitor | Microsoft