Azure Key Vault Purge protection is not enabled
Description
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.
Code Example
go
resource "azurerm_key_vault" "example" {
...
+ purge_protection_enabled = true
}Remediation
Terraform
- Resource: azurerm_key_vault
- Arguments: purge_protection_enabled - (Optional) Is Purge Protection enabled for this Key Vault?
Defaults to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0617 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_110 |