Use Key Vault Soft Delete

Reliability · Key Vault · Rule · 2020_06 · Important

Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

Description

Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

Recommendation

Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

Examples

Configure with Azure template

To deploy Key Vaults that pass this rule:

• Set the properties.enableSoftDelete property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep

To deploy Key Vaults that pass this rule:

• Set the properties.enableSoftDelete property to true.

For example:

Azure Bicep snippet

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure CLI

Azure CLI snippet

az keyvault update -n '<name>' -g '<resource_group>' --retention-days 90

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Key vaults should have soft delete enabled /providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d.

Links

• RE:07 Self-preservation
• Azure Key Vault soft-delete overview
• Soft-delete will be enabled on all key vaults
• Azure Key Vault security
• Azure deployment reference

Comments