Key vault does not enable soft-delete

Description

Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.

Code Example

resource "azurerm_key_vault" "example" {
  ...
+   soft_delete_retention_days  = 7
}

Remediation

Terraform

• Resource: azurerm_key_vault
• Arguments: soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft-deleted.

This value can be between 7 and 90 (the default) days.

Rule Details

Field	Value
ID	IAC-0618
Severity	LOW
IaC Type	arm
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_AZURE_111

References

• Checkov Rule

---