Ensure key vault enables soft-delete

Error: Key vault does not enable soft delete

Bridgecrew Policy ID: BC_AZR_GENERAL_41
Checkov Check ID: CKV_AZURE_111
Severity: LOW

Key vault does not enable soft-delete


Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.

Fix - Buildtime


  • Resource: azurerm_key_vault
  • Argument: soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
resource "azurerm_key_vault" "example" {
+   soft_delete_retention_days  = 7