Ensure Azure key vault is recoverable

Error: Azure key vault is not recoverable

Bridgecrew Policy ID: BC_AZR_GENERAL_11
Checkov Check ID: CKV_AZURE_42
Severity: CRITICAL

Azure key vault is not recoverable

Description

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions supported by the key vault objects, such as authentication, validation, verification, and non-repudiation. Deleting or purging a key vault leads to immediate data loss as keys encrypting data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects, such as keys, secrets, and certificates.

We recommended you make the key vault recoverable by enabling the Do Not Purge and Soft Delete functions. This will prevent accidental deletion by a user running the delete/purge command on the key vault, or an attacker/malicious user does to deliberately to cause disruption.

Fix - Runtime

Procedure

There are two key vault properties that play roles in the permanent unavailability of a key vault.

  1. EnableSoftDelete:
    Setting this parameter to true for a key vault ensures that even if the key vault is deleted, the key vault itself, or its objects, remain recoverable for the next 90 days. During the 90 day period the key vault/objects can be recovered or purged (permanent deletion). If no action has been taken after 90 days, the key vault and its objects will be purged.

  2. EnablePurgeProtection:
    enableSoftDelete only ensures that the key vault is not deleted permanently and is recoverable for 90 days from the date of deletion. There are scenarios where the key vault and/or its objects are accidentally purged will not be recoverable.
    Setting enablePurgeProtection to "true" ensures the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.

Azure Portal

The Azure Portal does not currently have provision to update the respective configurations.

CLI Command

Use the following command:

az resource update 
--id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/
<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> 
--set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault
  • Argument: soft_delete_enabled + purge_protection_enabled
resource "azurerm_key_vault" "example" {
        ...
+   soft_delete_enabled         = true
+   purge_protection_enabled    = true
}

Did this page help you?