Azure-KeyVaults-Key-Vault-Recovery-Enabled

Severity: High

Description: This control ensures that enableSoftDelete and enablePurgeProtection is enabled for a key vault so that key vault and its objects are recoverable. It is recommended that key vault is recoverable by enabling "Do Not Purge" and "Soft Delete" to prevent immediate loss of encrypted data (Storage accounts, SQL databases etc.) and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) in case of accidental deletion by a user as well as disruptive activity by a malicious user.

Remediation Steps:

Perform following to update configuration for key vault using CLI:

1. az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Important:

Reference:

• Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #8.4

• https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli

• https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/