Azure Key Vault is not recoverable

Description

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions supported by the key vault objects, such as authentication, validation, verification, and non-repudiation. Deleting or purging a key vault leads to immediate data loss as keys encrypting data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects, such as keys, secrets, and certificates. We recommended you make the key vault recoverable by enabling the Do Not Purge and Soft Delete functions. This will prevent accidental deletion by a user running the delete/purge command on the key vault, or an attacker/malicious user does to deliberately to cause disruption.

Code Example

resource "azurerm_key_vault" "example" {
        ...
+   purge_protection_enabled    = true
+   soft_delete_retention_days  = 7     # Default is 90
}

Remediation

Procedure*

There are two key vault properties that play roles in the permanent unavailability of a key vault.

. * EnablePurgeProtection*: * enableSoftDelete* only ensures that the key vault is not deleted permanently and is recoverable for 90 days from the date of deletion. + There are scenarios where the key vault and/or its objects are accidentally purged will not be recoverable. + Setting * enablePurgeProtection* to "true" ensures the key vault and its objects cannot be purged. + Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.

. * SetSoftDeleteRetentionDays (Optional)*: Set the number of days that items should be retained for once soft-deleted. + This value can be between 7 and 90 (the default) days.

Azure Portal The Azure Portal does not currently have provision to update the respective configurations.*
CLI Command*

Use the following command:

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/ & lt;resourceGroupName>/providers/Microsoft.KeyVault/vaults/& lt;keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

=== Fix - Buildtime

Terraform

Resource: azurerm_key_vault
Arguments: soft_delete_enabled + purge_protection_enabled

Rule Details

Field	Value
ID	IAC-0553
Severity	INFO
IaC Type	arm
Frameworks	ARM, Terraform, Bicep, TerraformPlan
Checkov ID	CKV_AZURE_42

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Azure Key Vault is not recoverable

Description

Code Example

Remediation

Use the following command:

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/ & lt;resourceGroupName>/providers/Microsoft.KeyVault/vaults/& lt;keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Rule Details

References

SAST Rules

IaC Rules

License Rules

Azure Key Vault is not recoverable ​

Description ​

Code Example ​

Remediation ​

Use the following command: ​

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/ & lt;resourceGroupName>/providers/Microsoft.KeyVault/vaults/& lt;keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true ​

Rule Details ​

References ​

Azure Key Vault is not recoverable

Description

Code Example

Remediation

Use the following command:

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/ & lt;resourceGroupName>/providers/Microsoft.KeyVault/vaults/& lt;keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Rule Details

References