Skip to content

Use Key Vault Purge Protection#

Reliability · Key Vault · Rule · 2020_06

Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.

Description#

Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.

When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.

Purge protection is not enabled by default.

Recommendation#

Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.

Examples#

Configure with Azure template#

To deploy Key Vaults that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Template snippet
{
    "type": "Microsoft.KeyVault/vaults",
    "apiVersion": "2021-10-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "properties": {
        "sku": {
            "family": "A",
            "name": "premium"
        },
        "tenantId": "[subscription().tenantId]",
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 90,
        "enablePurgeProtection": true
    }
}

Configure with Bicep#

To deploy Key Vaults that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: subscription().tenantId
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    enablePurgeProtection: true
  }
}

Configure with Azure CLI#

Azure CLI snippet
az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection

Last update: 2023-02-18

Comments