Description
related to:
Ensure that logging for Azure Key Vault is 'Enabled'
Context:
This issue relates to the CIS requirement to ensure that logging for Azure Key Vault is enabled.
Problem:
Currently, in our implementation, accessing the specific fields 'days' and 'enabled' within the Azure Key Vault's diagnostic settings is not straightforward. The structure of the returned JSON object from azure.subscription.keyVault.vaults does not allow direct comparison or retrieval of these fields.
azure.subscription.keyVault.vaults: [
0: {
diagnosticSettings: [
0: {
properties.logs: [
0: {
retentionPolicy: {
days: 0.000000
enabled: false
}
}
1: {
retentionPolicy: {
days: 0.000000
enabled: false
}
}
]
}
]
}
]
Example of Current Data Structure:
azure.subscription.keyVault.vaults { diagnosticSettings {properties.logs.where(category == "AuditEvent") {retentionPolicy {days} } }}
Here, both 'days' and 'enabled' fields are nested and not directly accessible for comparison.
Potential Solution:
We need an enhancement or a workaround to access the 'days' value for comparison. A provisional query is available but it does not fully meet our requirements.
Affected function in cnquery:
monitor.go
mqlAzure, err := CreateResource(runtime, "azure.subscription.monitorService.diagnosticsetting",
map[string]*llx.RawData{
"id": llx.StringData(convert.ToString(entry.ID)),
"name": llx.StringData(convert.ToString(entry.Name)),
"type": llx.StringData(convert.ToString(entry.Type)),
"properties": llx.DictData(properties),
"storageAccountId": llx.StringDataPtr(entry.Properties.StorageAccountID),
})