vaults
Summary
Details
Key vaults should have soft delete enabled
Impact: High Category: Disaster Recovery
APRL GUID: 1cca00d2-d9ab-8e42-a788-5d40f49405cb
Description:
Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.
Potential Benefits:
Enables recovery of deleted items
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This Resource Graph query will return all Key Vaults that do not have soft delete enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != "true"
| project recommendationId = "1cca00d2-d9ab-8e42-a788-5d40f49405cb", name, id, tags, param1 = "EnableSoftDelete: Disabled"
Key vaults should have purge protection enabled
Impact: Medium Category: Disaster Recovery
APRL GUID: 70fcfe6d-00e9-5544-a63a-fff42b9f2edb
Description:
Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.
Potential Benefits:
Protects from insider attacks, avoids data loss
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This resource graph query will return all Key Vaults that do not have Purge Protection enabled.
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != "true"
| project recommendationId = "70fcfe6d-00e9-5544-a63a-fff42b9f2edb", name, id, tags, param1 = "EnablePurgeProtection: Disabled"
Private endpoint should be configured for Key Vault
Impact: Medium Category: Security
APRL GUID: 00c3d2b0-ea6e-4c4b-89be-b78a35caeb51
Description:
Azure Private Link Service lets you securely and privately connect to Azure Key Vault via a Private Endpoint in your VNet, using a private IP and eliminating public Internet exposure.
Potential Benefits:
Secure Key Vault with Private Link
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This resource graph query will return all Key Vaults that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled
resources
| where type == "microsoft.keyvault/vaults"
| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')
| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))
| extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))
| project recommendationId = "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", name, id, tags, param1, param2
Use separate key vaults per application per environment
Impact: High Category: Governance
APRL GUID: e7091145-3642-bd41-bb58-66502e64d2cd
Description:
Key vaults are security boundaries for secret storage. Grouping secrets together increases risk during a security event, as attacks could access multiple secrets.
Potential Benefits:
Enhanced security, Reduced risk
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Diagnostic logs in Key Vault should be enabled
Impact: Low Category: Monitoring and Alerting
APRL GUID: 1dc0821d-4f14-7644-bab4-ba208ff5f7fa
Description:
Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.
Potential Benefits:
Enhanced monitoring and security compliance
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg