Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

vaults

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Key vaults should have soft delete enabledHighDisaster RecoveryYesYes
Key vaults should have purge protection enabledMediumDisaster RecoveryYesYes
Diagnostic logs in Key Vault should be enabledLowMonitoring and AlertingNoYes

Details

Key vaults should have soft delete enabled

Impact:  High Category:  Disaster Recovery

APRL GUID:  1cca00d2-d9ab-8e42-a788-5d40f49405cb

Description:

Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.

Potential Benefits:

Enables recovery of deleted items
Learn More:
Azure Key Vault soft-delete overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This Resource Graph query will return all Key Vaults that do not have soft delete enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != "true"
| project recommendationId = "1cca00d2-d9ab-8e42-a788-5d40f49405cb", name, id, tags, param1 = "EnableSoftDelete: Disabled"

Key vaults should have purge protection enabled

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  70fcfe6d-00e9-5544-a63a-fff42b9f2edb

Description:

Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.

Potential Benefits:

Protects from insider attacks, avoids data loss
Learn More:
Azure Key Vault purge-protection overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query will return all Key Vaults that do not have Purge Protection enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != "true"
| project recommendationId = "70fcfe6d-00e9-5544-a63a-fff42b9f2edb", name, id, tags, param1 = "EnablePurgeProtection: Disabled"

Diagnostic logs in Key Vault should be enabled

Impact:  Low Category:  Monitoring and Alerting

APRL GUID:  1dc0821d-4f14-7644-bab4-ba208ff5f7fa

Description:

Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.

Potential Benefits:

Enhanced monitoring and security compliance
Learn More:
Azure Key Vault logging overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg