Azure key should be recoverable

Docs > Datadog Security > OOTB Rules > Azure key should be recoverable

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the “Do Not Purge” and “Soft Delete” functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.

Default value

When a new Key Vault is created, both the parameters enableSoftDelete and enablePurgeProtection are set to null, disabling both the features.

Rationale

There could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:

Setting the enableSoftDeleteSetting parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.
enablePurgeProtectionenableSoftDelete only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting enablePurgeProtection to “true” ensures that the key vault and its objects cannot be purged.

Enabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.

Impact

Once purge protection and soft-delete is enabled for a key vault, the action is irreversible.

Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features “Do Not Purge” and “Soft Delete” are enabled by default by your Azure backend.

WARNING: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.

Remediation

Enable “Do Not Purge” and “Soft Delete” for a key vault.

From the console

Go to Key Vaults.
Click Properties.
Ensure the status of soft-delete reads ‘Soft delete has been enabled on this key vault’.
At the bottom of the page, click ‘Enable Purge Protection’.

From the command line

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

From Powershell

Update-AzKeyVault -VaultName <vaultName -ResourceGroupName <resourceGroupName -EnablePurgeProtection