turbot/azure_compliance

Control: 8.5 Ensure the Key Vault is Recoverable

Description

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.

There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.

There is a Key Vault property that plays a role in permanent unavailability of a Key Vault:

enablePurgeProtection: Setting this parameter to "true" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged.

Enabling the enablePurgeProtection parameter on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.

Remediation

To enable "Do Not Purge" and "Soft Delete" for a Key Vault:

From Azure Portal

  1. Go to Key Vaults.
  2. For each Key Vault.
  3. Click Properties.
  4. Ensure the status of Purge protection reads Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects). Note, once enabled you cannot disable it.

From Azure CLI

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault /vaults/<keyVaultName> --set properties.enablePurgeProtection=true

From Powershell

Update-AzKeyVault -VaultName <vaultName -ResourceGroupName <resourceGroupName -EnablePurgeProtection

Default Value

When a new Key Vault is created, both the parameters enableSoftDelete and enablePurgeProtection are set to null, disabling both the features.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v210_8_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v210_8_5 --share

SQL

This control uses a named query:

keyvault_vault_recoverable

Tags