Key vault should have purge protection enabled

Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization may potentially be able to gain access to delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.

Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.22
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have enablePurgeProtection=true

REMEDIATION

From Portal

  1. Go to 'Key vaults' and choose your Key Vault
  2. Select 'Properties' under 'Settings'
  3. Under Soft-delete, select 'Enable recovery of this vault and its objects'
  4. Under Purge protection, select 'Enable purge protection of this vault and its objects during retention period'
  5. Click on Save.

From TF
Set the 'purge_protection_enabled' argument to true:

resource "azurerm_key_vault" "example" {
	..
	purge_protection_enabled  = true
	..
}

From Command Line
Run

az keyvault update --name KEYVAULTNAME --enable-purge-protection true

References

  1. https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-update
  2. https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark