Ensure the Key Vault is Recoverable

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


KeyVault should have enableSoftDelete=true and enablePurgeProtection=true


From Portal

  1. Sign in to the Azure portal.
  2. Search for your key vault.
  3. Select Properties under Settings.
  4. Under Soft-Delete, Set the retention period for soft-delete.
  5. Enable Purge protection.
  6. Select Save.

From TF
Set the 'soft_delete_enabled' and 'purge_protection_enabled' argument to true and 'soft_delete_retention_days' as below:

resource "azurerm_key_vault" "example" {
	soft_delete_enabled  = true
	soft_delete_retention_days = 7
	purge_protection_enabled    = true

From Command Line
All new key vaults have soft delete enabled by default. If you currently have a key vault that does not have soft delete enabled, use the following command to enable soft delete.

az keyvault update --subscription SUBSCRIPTIONID --resource-group RESOURCEGROUP --name KEYVAULTNAME --enable-soft-delete true --enable-purge-protection true


  1. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-change#turn-on-soft-delete-for-an-existing-key-vault
  2. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset