Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Key Vault Recoverability

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: KeyVault-001

Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both "Soft Delete" and "Do Not Purge" features:

"Soft Delete", implemented by enableSoftDelete parameter, ensures that even if the Key Vault is deleted, the vault itself or its objects (keys, secrets, certificates) remain recoverable for next 90 days. In this span of 90 days, either the vault and its objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the Azure Key Vault and all its objects will be purged.

"Do Not Purge" feature, implemented by enablePurgeProtection parameter, ensures that the Azure Key Vault and its objects cannot be purged at all, preventing users from accidentally purging Azure Key Vault resources. This adds to the "Soft Delete" feature which only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from the date of deletion.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Deleting or purging a Key Vault instance can lead to immediate data loss, as the keys encrypting the data and the secrets or certificates allowing access to resources and applications will become non-accessible. To prevent loss of encrypted data including storage accounts, SQL databases, and other cloud resources and services dependent on Key Vault objects (i.e. encryption keys, secrets, certificates), as may happen in the case of accidental deletion by a negligent user or from disruptive activity initiated by a malicious user, Cloud Conformity highly recommends implementing Azure Key Vault recoverability by enabling both "Soft Delete" and "Do Not Purge" features for the production vaults.

Audit

To determine if your Microsoft Azure Key Vault instances are recoverable, perform the following actions:

Note: Checking your Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances provisioned in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Microsoft Azure resource identifiers (names): 

[
  "cc-main-production-vault",
  "cc-project5-app-vault,"
  "cc-user-access-vault"
]

03 Run keyvault show command (Windows/macOS/Linux) using the name of the Azure Key Vault instance that you want to examine as identifier parameter and custom query filters to describe the configuration status for both "Soft Delete" and "Do Not Purge" features, set for the selected vault: 

az keyvault show
	--name cc-main-production-vault
	--query 'properties.{"enableSoftDelete":enableSoftDelete,"enablePurgeProtection":enablePurgeProtection}'

04 The command output should return the requested features configuration metadata: 

{
  "enablePurgeProtection": null,
  "enableSoftDelete": null
}
If keyvault show command output returns null for both "enablePurgeProtection" and "enableSoftDelete" configuration attributes, as shown in the example above, the verified Microsoft Azure Key Vault instance and its objects are not recoverable.

05 Repeat step no. 3 and 4 for each production Azure Key Vault provisioned within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To make your production Key Vault instances and its objects (encryption keys, secret keys and certificates) recoverable, you must enable "Do Not Purge" and "Soft Delete" features. To activate both these features, perform the following actions:

Note: Reconfiguring your existing Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.

Using Azure CLI

01 Run keyvault update command (Windows/macOS/Linux) using the name of the production Key Vault instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right vault) to implement recoverability for the selected vault and its objects by enabling both "Soft Delete" and "Do Not Purge" features: 

az keyvault update
	--name cc-main-production-vault
	--enable-soft-delete true
	--enable-purge-protection true

02 The command output should return the metadata for the reconfigured Microsoft Azure Key Vault: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-production-vault",
  "location": "westeurope",
  "name": "cc-main-production-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": false,
    "enabledForTemplateDeployment": false,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-main-production-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Repeat step no. 1 and 2 for each Azure Key Vault used in production, provisioned within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Related KeyVault rules