Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both "Soft Delete" and "Do Not Purge" features:
"Soft Delete", implemented by enableSoftDelete parameter, ensures that even if the Key Vault is deleted, the vault itself or its objects (keys, secrets, certificates) remain recoverable for next 90 days. In this span of 90 days, either the vault and its objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the Azure Key Vault and all its objects will be purged.
"Do Not Purge" feature, implemented by enablePurgeProtection parameter, ensures that the Azure Key Vault and its objects cannot be purged at all, preventing users from accidentally purging Azure Key Vault resources. This adds to the "Soft Delete" feature which only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from the date of deletion.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Deleting or purging a Key Vault instance can lead to immediate data loss, as the keys encrypting the data and the secrets or certificates allowing access to resources and applications will become non-accessible. To prevent loss of encrypted data including storage accounts, SQL databases, and other cloud resources and services dependent on Key Vault objects (i.e. encryption keys, secrets, certificates), as may happen in the case of accidental deletion by a negligent user or from disruptive activity initiated by a malicious user, Cloud Conformity highly recommends implementing Azure Key Vault recoverability by enabling both "Soft Delete" and "Do Not Purge" features for the production vaults.
To determine if your Microsoft Azure Key Vault instances are recoverable, perform the following actions:Note: Checking your Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.
Remediation / Resolution
To make your production Key Vault instances and its objects (encryption keys, secret keys and certificates) recoverable, you must enable "Do Not Purge" and "Soft Delete" features. To activate both these features, perform the following actions:Note: Reconfiguring your existing Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Key Vault Recoverability
Risk level: High