Use Key Vault Purge Protection

Reliability · Key Vault · Rule · 2020_06 · Important

Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.

Description

Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.

When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.

Purge protection is not enabled by default.

Recommendation

Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.

Examples

Configure with Azure template

To deploy Key Vaults that pass this rule:

• Set the properties.enablePurgeProtection property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep

To deploy Key Vaults that pass this rule:

• Set the properties.enablePurgeProtection property to true.

For example:

Azure Bicep snippet

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure CLI

Azure CLI snippet

az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection

Configure with Azure PowerShell

Azure PowerShell snippet

Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnablePurgeProtection

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Key vaults should have deletion protection enabled /providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53.

Links

• RE:07 Self-preservation
• Azure Key Vault soft-delete overview
• Azure Key Vault security
• Azure deployment reference

Comments