Ensure key vault enables purge protection

Error: Key vault disables purge protection

Bridgecrew Policy ID: BC_AZR_GENERAL_40
Checkov Check ID: CKV_AZURE_110
Severity: MEDIUM

Key vault disables purge protection


Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.

Fix - Buildtime


  • Resource: azurerm_key_vault
  • Argument: purge_protection_enabled - (Optional) Is Purge Protection enabled for this Key Vault? Defaults to false.
resource "azurerm_key_vault" "example" {
+  purge_protection_enabled    = true