[Security] Add Diagnostic Settings for Infrastructure Resources

[emmanuelknafo]

Summary

Configure diagnostic settings for Key Vault, App Service, and SQL Server to enable comprehensive audit logging and security monitoring.

Threats Addressed

• T-008: Insufficient Logging/Monitoring (Medium Risk)

Current State

• Application Insights configured for application telemetry
• No diagnostic settings for infrastructure resources
• Limited visibility into security events and access patterns

Acceptance Criteria

• Key Vault diagnostic settings enabled (all logs + metrics)
• App Service diagnostic settings enabled (HTTP logs, audit logs)
• SQL Server auditing enabled with 90-day retention
• All logs sent to Log Analytics workspace
• Alert rules configured for critical security events

Implementation Reference

See security-plan-sample-web-app.md for Bicep code samples.

\\�icep
resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'kv-diagnostics'
scope: keyVault
properties: {
workspaceId: logAnalytics.id
logs: [
{
categoryGroup: 'allLogs'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}

resource appServiceDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'app-diagnostics'
scope: appService
properties: {
workspaceId: logAnalytics.id
logs: [
{
category: 'AppServiceHTTPLogs'
enabled: true
}
{
category: 'AppServiceAuditLogs'
enabled: true
}
]
}
}

resource sqlServerAuditingSettings 'Microsoft.Sql/servers/auditingSettings@2023-08-01-preview' = {
parent: sqlServer
name: 'default'
properties: {
state: 'Enabled'
retentionDays: 90
isAzureMonitorTargetEnabled: true
}
}
\\

Priority

P2 - High - Implement within 30 days