Ensure Azure key vault is recoverable

Error: Azure key vault is not recoverable

Bridgecrew Policy ID: BC_AZR_GENERAL_11
Checkov Check ID: CKV_AZURE_42
Severity: MEDIUM

Azure key vault is not recoverable

Description

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions supported by the key vault objects, such as authentication, validation, verification, and non-repudiation. Deleting or purging a key vault leads to immediate data loss as keys encrypting data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects, such as keys, secrets, and certificates.

We recommended you make the key vault recoverable by enabling the Do Not Purge and Soft Delete functions. This will prevent accidental deletion by a user running the delete/purge command on the key vault, or an attacker/malicious user does to deliberately to cause disruption.

Fix - Runtime

Procedure

There are two key vault properties that play roles in the permanent unavailability of a key vault.

  1. EnablePurgeProtection:
    enableSoftDelete only ensures that the key vault is not deleted permanently and is recoverable for 90 days from the date of deletion. There are scenarios where the key vault and/or its objects are accidentally purged will not be recoverable.
    Setting enablePurgeProtection to "true" ensures the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.

  2. SetSoftDeleteRetentionDays (Optional):
    Set the number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

Azure Portal

The Azure Portal does not currently have provision to update the respective configurations.

CLI Command

Use the following command:

az resource update 
--id /subscriptions/xxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/resourceGroups/
<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> 
--set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault
  • Argument: soft_delete_enabled + purge_protection_enabled
resource "azurerm_key_vault" "example" {
		...
+   purge_protection_enabled    = true
+   soft_delete_retention_days  = 7     # Default is 90
}