Azure Key Vault should be recoverable

Description

The key vault contains object keys, secrets, and certificates. If a key vault is made unavailable accidentally, it can cause immediate data loss or loss of security functions supported by the key vault objects. This includes authentication, validation, verification, and non-repudiation. It is recommended that the key vault be made recoverable by enabling the “Do Not Purge” and “Soft Delete” functions. This prevents loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by key vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.

Note: When a new key vault is created, the enableSoftDelete and enablePurgeProtection parameters are set to null by default, disabling both features.

Remediation

Enable “Do Not Purge” and “Soft Delete” for a key vault.

From the console

  1. Log in to the Azure Portal.
  2. Go to Key Vaults and click Properties.
  3. Verify that the status of soft-delete is set to ‘Soft delete has been enabled on this key vault’.
  4. At the bottom of the page, click ‘Enable Purge Protection’.