Ensure key vault enables soft-delete

Error: Key vault does not enable soft delete

Bridgecrew Policy ID: BC_AZR_GENERAL_41
Checkov Check ID: CKV_AZURE_111
Severity: LOW

Key vault does not enable soft-delete


Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete.

Fix - Buildtime


  • Resource: azurerm_key_vault
  • Argument: soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
resource "azurerm_key_vault" "example" {
+   soft_delete_retention_days  = 7

Did this page help you?