Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

vaults

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Key vaults should have soft delete enabledHighDisaster RecoveryYesPreview
Key vaults should have purge protection enabledMediumDisaster RecoveryYesPreview
Private endpoint should be configured for Key VaultMediumSecurityYesPreview
Use separate key vaults per application per environmentHighGovernanceNoPreview
Diagnostic logs in Key Vault should be enabledLowMonitoring and AlertingNoPreview

Details

Key vaults should have soft delete enabled

Impact:  High Category:  Disaster Recovery PG Verified:  Preview

APRL GUID:  1cca00d2-d9ab-8e42-a788-5d40f49405cb

Description:

Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.

Potential Benefits:

Enables recovery of deleted items
Learn More:
Azure Key Vault soft-delete overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This Resource Graph query will return all Key Vaults that do not have soft delete enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != "true"
| project recommendationId = "1cca00d2-d9ab-8e42-a788-5d40f49405cb", name, id, tags, param1 = "EnableSoftDelete: Disabled"

Key vaults should have purge protection enabled

Impact:  Medium Category:  Disaster Recovery PG Verified:  Preview

APRL GUID:  70fcfe6d-00e9-5544-a63a-fff42b9f2edb

Description:

Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.

Potential Benefits:

Protects from insider attacks, avoids data loss
Learn More:
Azure Key Vault purge-protection overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query will return all Key Vaults that do not have Purge Protection enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != "true"
| project recommendationId = "70fcfe6d-00e9-5544-a63a-fff42b9f2edb", name, id, tags, param1 = "EnablePurgeProtection: Disabled"

Private endpoint should be configured for Key Vault

Impact:  Medium Category:  Security PG Verified:  Preview

APRL GUID:  00c3d2b0-ea6e-4c4b-89be-b78a35caeb51

Description:

Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.

Potential Benefits:

Secure Key Vault with Private Link
Learn More:
Azure Key Vault Private Link Service overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query will return all Key Vaults that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled

resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')
| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))
| extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))
| project recommendationId = "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", name, id, tags, param1, param2

Use separate key vaults per application per environment

Impact:  High Category:  Governance PG Verified:  Preview

APRL GUID:  e7091145-3642-bd41-bb58-66502e64d2cd

Description:

Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.

Potential Benefits:

Enhanced security, Reduced risk
Learn More:
Azure Key Vault best practices overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Diagnostic logs in Key Vault should be enabled

Impact:  Low Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  1dc0821d-4f14-7644-bab4-ba208ff5f7fa

Description:

Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.

Potential Benefits:

Enhanced monitoring and security compliance
Learn More:
Azure Key Vault logging overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg