|   Trend Micro Cloud One™
Open menu

Enable Key Vault Recoverability

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (not acceptable risk)
Rule ID: KeyVault-001

Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both "Soft Delete" and "Do Not Purge" features:

"Soft Delete", implemented by enableSoftDelete parameter, ensures that even if the Key Vault is deleted, the vault itself or its objects (keys, secrets, certificates) remain recoverable for next 90 days. In this span of 90 days, either the vault and its objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the Azure Key Vault and all its objects will be purged.

"Do Not Purge" feature, implemented by enablePurgeProtection parameter, ensures that the Azure Key Vault and its objects cannot be purged at all, preventing users from accidentally purging Azure Key Vault resources. This adds to the "Soft Delete" feature which only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from the date of deletion.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Deleting or purging a Key Vault instance can lead to immediate data loss, as the keys encrypting the data and the secrets or certificates allowing access to resources and applications will become non-accessible. To prevent loss of encrypted data including storage accounts, SQL databases, and other cloud resources and services dependent on Key Vault objects (i.e. encryption keys, secrets, certificates), as may happen in the case of accidental deletion by a negligent user or from disruptive activity initiated by a malicious user, Cloud Conformity highly recommends implementing Azure Key Vault recoverability by enabling both "Soft Delete" and "Do Not Purge" features for the production vaults.

Audit

To determine if your Microsoft Azure Key Vault instances are recoverable, perform the following actions:

Note: Checking your Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances provisioned in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Microsoft Azure resource identifiers (names):

[
  "cc-main-production-vault",
  "cc-project5-app-vault,"
  "cc-user-access-vault"
]

03 Run keyvault show command (Windows/macOS/Linux) using the name of the Azure Key Vault instance that you want to examine as identifier parameter and custom query filters to describe the configuration status for both "Soft Delete" and "Do Not Purge" features, set for the selected vault:

az keyvault show
	--name cc-main-production-vault
	--query 'properties.{"enableSoftDelete":enableSoftDelete,"enablePurgeProtection":enablePurgeProtection}'

04 The command output should return the requested features configuration metadata:

{
  "enablePurgeProtection": null,
  "enableSoftDelete": null
}
If keyvault show command output returns null for both "enablePurgeProtection" and "enableSoftDelete" configuration attributes, as shown in the example above, the verified Microsoft Azure Key Vault instance and its objects are not recoverable.

05 Repeat step no. 3 and 4 for each production Azure Key Vault provisioned within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To make your production Key Vault instances and its objects (encryption keys, secret keys and certificates) recoverable, you must enable "Do Not Purge" and "Soft Delete" features. To activate both these features, perform the following actions:

Note: Reconfiguring your existing Azure Key Vaults for recoverability using Azure Management Console (Portal) is not currently supported.

Using Azure CLI

01 Run keyvault update command (Windows/macOS/Linux) using the name of the production Key Vault instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right vault) to implement recoverability for the selected vault and its objects by enabling both "Soft Delete" and "Do Not Purge" features:

az keyvault update
	--name cc-main-production-vault
	--enable-soft-delete true
	--enable-purge-protection true

02 The command output should return the metadata for the reconfigured Microsoft Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-production-vault",
  "location": "westeurope",
  "name": "cc-main-production-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": false,
    "enabledForTemplateDeployment": false,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-main-production-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Repeat step no. 1 and 2 for each Azure Key Vault used in production, provisioned within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Key Vault Recoverability

Risk level: High