Description:
You can monitor how and when your key vaults are accessed, and by whom. by enabling logging for Azure Key Vault. This saves information in an Azure storage account that you provide.
What is logged:
- All authenticated REST API requests, including failed requests as a result of access permissions, system errors, or bad requests.
- Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.
- Operations on keys and secrets in the key vault, including:
- Creating, modifying, or deleting these keys or secrets.
- Signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets (and their versions).
- Unauthenticated requests that result in a 401 response. Examples are requests that don't have a bearer token, that are malformed or expired, or that have an invalid token.
- Azure Event Grid notification events for the following conditions: expired, near expiration, and changed vault access policy (the new version event isn't logged). Events are logged even if there's an event subscription created on the key vault. For more information, see Azure Key Vault as Event Grid source.
Reference:
Full instructions to perform this can be found here:
https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging & https://docs.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault