Skip to main content

πŸ›‘οΈ Azure Key Vault Purge Protection function is not enabled🟒

  • Contextual name: πŸ›‘οΈ Purge Protection function is not enabled🟒
  • ID: /ce/ca/azure/key-vault/soft-delete-and-purge-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0be4dfe51

Description​

Open File

Description​

Key vaults contain object keys, secrets, and certificates. Deletion of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.

It is recommended the key vault be made recoverable by enabling the "purge protection" function. This is to prevent the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects (keys, secrets, certificates, etc.).

NOTE: In February 2025, Microsoft enabled soft delete protection on all key vaults. Users can no longer opt out of or turn off soft delete.

WARNING: A current limitation is that role assignments disappear when a key vault is deleted. All role assignments will need to be recreated after recovery.

Rationale​

Users may accidentally run delete/purge commands on a key vault, or an attacker or malicious user may do so deliberately in order to cause disruption. Deleting or purging a key vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become inaccessible.

... see more

Remediation​

Open File

Remediation​

Note: Once enabled, purge protection cannot be disabled.

From Azure Portal​

  1. Go to Key Vaults.
  2. Click the name of a key vault.
  3. Under Settings, click Properties.
  4. Select the radio button next to Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects).
  5. Click Save.
  6. Repeat steps 1-5 for each key vault requiring remediation.

From Azure CLI​

For each key vault requiring remediation, run the following command to enable purge protection:

az resource update --resource-group <resource-group> --name <key-vault> --resource-type "Microsoft.KeyVault/vaults" --set properties.enablePurgeProtection=true

From PowerShell​

For each key vault requiring remediation, run the following command to enable purge protection:

Update-AzKeyVault -ResourceGroupName <resource-group> -VaultName <key-vault> -EnablePurgeProtection

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 8.4 Ensure the key vault is recoverable11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 8.5 Ensure the Key Vault is Recoverable - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.3.5 Ensure the Key Vault is Recoverable (Automated)1no data
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 9.3.5 Ensure the Key Vault is Recoverable (Automated)1no data
πŸ’Ό CIS Azure v5.0.0 β†’ πŸ’Ό 8.3.5 Ensure 'Purge protection' is set to 'Enabled' (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61436no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1912no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)136no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)436no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management912no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization43no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties131no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected180no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected156no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-11 Protects Encryption Keys69no data