Skip to main content

πŸ“ Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟒

  • Contextual name: πŸ“ Soft Delete and Purge Protection functions are not enabled 🟒
  • ID: /ce/ca/azure/key-vault/soft-delete-and-purge-protection
  • Located in: πŸ“ Azure Key Vault

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0be4dfe51

Logic​

Description​

Open File

Description​

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

NOTE: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete.

WARNING: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.

Rationale​

There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.

... see more

Remediation​

Open File

Remediation​

To enable Do Not Purge and Soft Delete for a Key Vault:

From Azure Portal​

  1. Go to Key Vaults.

  2. For each Key Vault.

  3. Click Properties.

  4. Ensure the status of Purge protection reads Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects).

    Note: once enabled you cannot disable it.

From Azure CLI​

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault /vaults/<keyVaultName> --set properties.enablePurgeProtection=true

From PowerShell​

Update-AzKeyVault -VaultName <vaultName> -ResourceGroupName <resourceGroupName> -EnablePurgeProtection

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 8.4 Ensure the key vault is recoverable11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 8.5 Ensure the Key Vault is Recoverable - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.3.5 Ensure the Key Vault is Recoverable (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery10
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1421
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69