Description:
Azure Key Vault Recoverability ensures that your Key Vault data can be restored after accidental deletion or in the event of an issue such as a disaster. Enabling soft-delete and purge protection for your Key Vault ensures that the Key Vault and its contents, such as keys, secrets, and certificates, can be recovered within a retention period and cannot be permanently deleted until the retention period expires or the protection is manually disabled.
Rationale:
Enabling Recoverability for Azure Key Vault is critical for ensuring business continuity. In case of accidental or malicious deletion of the Key Vault, soft-delete allows the resources within the Key Vault to be restored within the retention period. Purge protection adds an extra layer of security by preventing the permanent deletion of the Key Vault until purge protection is explicitly disabled, helping prevent data loss from accidental or malicious actions. This is particularly important for compliance with security standards such as SOC 2, HIPAA, GDPR, and NIST, which mandate that organizations have mechanisms in place to recover important data.
Impact:
Enabling soft-delete and purge protection increases security and provides an assurance of data recoverability. However, it may slightly impact the management of deleted resources since they are retained during the recovery period. Once recovery protection is enabled, deleted resources cannot be permanently removed until the retention period is over or explicit purging is performed after disabling the protection.
Default Value:
By default, soft-delete is enabled for Azure Key Vault, but purge protection is disabled. Both features need to be explicitly enabled to ensure full recoverability.
Pre-requisites:
Azure Key Vault: Ensure that your Key Vault instance exists and is configured.
Permissions: You need Owner or Contributor role to modify recovery settings on Azure Key Vault.
Remediation:
Audit:
To check if Key Vault Recoverability is enabled for your Azure Key Vault (Soft-Delete and Purge Protection):
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to Azure Key Vault:
Go to Key Vaults in the Azure portal, and select the relevant Key Vault.
Check Recovery Settings:
In the Settings section, click on Properties.
Verify if Soft-Delete is enabled and whether Purge Protection is enabled.
Automated Implementation:
To ensure Azure Key Vault is recoverable by enabling soft-delete and purge protection, you can use Azure Policy to enforce these settings across your organization.
Create a custom Azure Policy to ensure soft-delete and purge protection are enabled for Azure Key Vaults:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Key Vault is Recoverable",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that Azure Key Vault is recoverable by enabling soft-delete and purge protection.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Security"
},
"policyRule": {
"if": {
"field": "Microsoft.KeyVault/vaults.properties.enablePurgeProtection",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure soft-delete and purge protection are enabled for all Azure Key Vaults.
Backout Plan:
To revert Key Vault Recoverability settings (disable soft-delete or purge protection):
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Key Vault:
Go to Key Vaults in the Azure portal and select the relevant Key Vault.
Go to Properties:
In the Settings section, click on Properties.
Disable Purge Protection or Soft Delete:
Set Enable purge protection to Disabled (if required).
Save the changes to remove recovery settings.
If the settings were enforced via Azure Policy, modify or remove the policy to allow Key Vault deletion without protection.