Skip to content

Use Key Vault Soft Delete#

Reliability · Key Vault · Rule · 2020_06 · Important

Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

Description#

Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

Recommendation#

Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

Examples#

Configure with Azure template#

To deploy Key Vaults that pass this rule:

  • Set the properties.enableSoftDelete property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep#

To deploy Key Vaults that pass this rule:

  • Set the properties.enableSoftDelete property to true.

For example:

Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

Configure with Azure CLI#

Azure CLI snippet
az keyvault update -n '<name>' -g '<resource_group>' --retention-days 90

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments