---
title: Key Vault soft delete is disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Key Vault soft delete is disabled
---

# Key Vault soft delete is disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-azure-key-vault-soft-delete-is-disabled` 

**Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Backup

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete)

### Description{% #description %}

Key Vaults must have soft delete enabled to prevent permanent loss of keys, secrets, and certificates. This ensures deleted items can be recovered after accidental or malicious deletion.

This rule checks Ansible tasks using the `azure.azcollection.azure_rm_keyvault` or `azure_rm_keyvault` modules and requires the `enable_soft_delete` property to be defined and set to `true`. Resources missing `enable_soft_delete` or with `enable_soft_delete: false` are flagged as insecure. Consider enabling purge protection for additional safeguards against permanent deletion.

Secure configuration example:

```yaml
- name: Create Key Vault with soft delete enabled
  azure.azcollection.azure_rm_keyvault:
    name: myKeyVault
    resource_group: myResourceGroup
    location: eastus
    sku: standard
    enable_soft_delete: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create instance of Key Vault
  azure_rm_keyvault:
    resource_group: myResourceGroup
    vault_name: samplekeyvault
    enabled_for_deployment: yes
    enable_soft_delete: yes
    vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111
    sku:
      name: standard
    access_policies:
    - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111
      object_id: 99998888-8666-4144-9199-2d7cd0111111
      keys:
      - get
      - list
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create instance of Key Vault
  azure_rm_keyvault:
    resource_group: myResourceGroup
    vault_name: samplekeyvault
    enabled_for_deployment: yes
    enable_soft_delete: no
    vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111
    sku:
      name: standard
    access_policies:
      - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111
        object_id: 99998888-8666-4144-9199-2d7cd0111111
        keys:
          - get
          - list
- name: Create instance of Key Vault 02
  azure_rm_keyvault:
    resource_group: myResourceGroup 02
    vault_name: samplekeyvault
    enabled_for_deployment: yes
    vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111
    sku:
      name: standard
    access_policies:
      - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111
        object_id: 99998888-8666-4144-9199-2d7cd0111111
        keys:
          - get
          - list
```