Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.
Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.
Private endpoint should be configured for Key Vault
Impact:MediumCategory:Security
APRL GUID:00c3d2b0-ea6e-4c4b-89be-b78a35caeb51
Description:
Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.
Use separate key vaults per application per environment
Impact:HighCategory:Governance
APRL GUID:e7091145-3642-bd41-bb58-66502e64d2cd
Description:
Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.
Click the Azure Resource Graph tab to view the query
//under-development
Diagnostic logs in Key Vault should be enabled
Impact:LowCategory:Monitoring and Alerting
APRL GUID:1dc0821d-4f14-7644-bab4-ba208ff5f7fa
Description:
Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.