💼 8.3.5 Ensure 'Purge protection' is set to 'Enabled' (Automated)
- ID:
/frameworks/cis-azure-v5.0.0/08/03/05
Description
Key Vaults contain object keys, secrets, and certificates. Deletion of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.
It is recommended the key vault be made recoverable by enabling the "purge protection" function. This is to prevent the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects (keys, secrets, certificates, etc.).
NOTE: In February 2025, Microsoft enabled soft delete protection on all key vaults. Users can no longer opt out of or turn off soft delete.
WARNING: A current limitation is that role assignments disappear when a key vault is deleted. All role assignments will need to be recreated after recovery.
Similar
- Sections
/frameworks/cis-azure-v3.0.0/03/03/05/frameworks/cis-azure-v4.0.0/09/03/05
Similar Sections (Take Policies From)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v3.0.0 → 💼 3.3.5 Ensure the Key Vault is Recoverable (Automated) | 1 | no data | |||
| 💼 CIS Azure v4.0.0 → 💼 9.3.5 Ensure the Key Vault is Recoverable (Automated) | 1 | no data |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (1)
| Policy | Logic Count | Flags | Compliance |
|---|---|---|---|
| 🛡️ Azure Key Vault Purge Protection function is not enabled🟢 | 1 | 🟢 x6 | no data |