Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.22
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have enablePurgeProtection=true

REMEDIATION

From Portal

Go to 'Key vaults' and choose your Key Vault
Select 'Properties' under 'Settings'
Under Soft-delete, select 'Enable recovery of this vault and its objects'
Under Purge protection, select 'Enable purge protection of this vault and its objects during retention period'
Click on Save.

From TF
Set the 'purge_protection_enabled' argument to true:

resource "azurerm_key_vault" "example" {
	..
	purge_protection_enabled  = true
	..
}

From Command Line
Run

az keyvault update --name KEYVAULTNAME --enable-purge-protection true

References

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys. Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.3.1
Azure CloudGuard Best Practices
Azure HITRUST v9.5.0
Azure ITSG-33
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset
Microsoft Cloud Security Benchmark