Azure key vault is not recoverable

ID

key_vault_recovery_enabled

Severity

low

Vendor

Azure

Resource

Key Vault

Tags

non-reachable

Description

Key Vault should be recoverable.

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

Two vault recovery features can be distinguished:

  • Soft delete is designed to prevent accidental deletion of your key vault and keys, secrets, and certificates stored inside key vault. Once soft delete has been enabled, it cannot be disabled.

  • Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. You will not be able to permanently delete or purge a key vault until the retention period elapses. Once the retention period elapses the key vault or key vault object will be purged automatically.

Microsoft recommends to make the key vault recoverable by enabling the Do Not Purge and Soft Delete functions.

See Azure Key Vault recovery management with soft delete and purge protection to learn more about this topic.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2017-08-01-preview",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "enablePurgeProtection": false,
        "enableSoftDelete": false
      }
    }
  ]
}
1 Key Vault does not enable enablePurgeProtection and enableSoftDelete, so vault is not recoverable.

Terraform

# No purge_protection_enabled
resource "azurerm_key_vault" "bad_no_purge_protection" { # FLAW (1)
  name                       = "my_key_vault"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"

  enabled_for_disk_encryption = true
  soft_delete_retention_days  = 7 # between 7 and 90

  # access_policy ...
}
1 purge_protection_enabled not set, default is false

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2017-08-01-preview",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "properties": {
        "enablePurgeProtection": true,
        "enableSoftDelete": true
      }
    }
  ]
}
1 Key Vault enables enablePurgeProtection and enableSoftDelete to make it recoverable.

Terraform

# No purge_protection_enabled
resource "azurerm_key_vault" "bad_no_purge_protection" {
  name                       = "my_key_vault"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"

  enabled_for_disk_encryption = true
  purge_protection_enabled    = true # FIXED
  # soft_delete_enabled deprecated, defaults to true
  # soft_delete_enabled       = true
  soft_delete_retention_days  = 7 # between 7 and 90

  # access_policy ...
}

Runtime

CLI Command

  • To enable soft-delete on key-vault, use the following command:

$ az keyvault update --subscription <subscription id> -g <resource group> -n <vault name> --enable-soft-delete true

  • To enable purge-protection on key-vault, use the following command:

$ az keyvault update --subscription <subscription id> -g <resource group> -n <vault name> --enable-purge-protection true

See Update the properties of a Vault.