Control: 8.4 Ensure the key vault is recoverable
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification etc.) supported by the key vault objects.
It is recommended that the key vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects , as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
There are 2 key vault properties that plays role in permanent unavailability of a key vault.
- enableSoftDelete: Setting this parameter to true for a key vault ensures that even if key vault is deleted, Key vault itself or its objects remain recoverable for next 90days.
- enablePurgeProtection: Setting enablePurgeProtection to true ensures that the key vault and its objects cannot be purged.
- Login and go to
- Go to
Settingssection and click on
Enable purge protectionand
Soft-delete is enabled for a key vault.
From Command Line
Command to enabled Do Not Purge and Soft Delete for a Key Vault
az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault /vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true
Note Once purge-protection and soft-delete is enabled for a key vault, the action is irreversible.
steampipe check azure_compliance.control.cis_v130_8_4
This control uses a named query:keyvault_vault_recoverable