Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 8.3.5 Ensure 'Purge protection' is set to 'Enabled'

Description

Key vaults contain object keys, secrets, and certificates. Deletion of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.

It is recommended the key vault be made recoverable by enabling the "purge protection" function. This is to prevent the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by key vault objects (keys, secrets, certificates, etc.).

NOTE: In February 2025, Microsoft enabled soft delete protection on all key vaults. Users can no longer opt out of or turn off soft delete.

WARNING: A current limitation is that role assignments disappear when a key vault is deleted. All role assignments will need to be recreated after recovery.

Setting enablePurgeProtection to "true" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, the key vault and its objects will subsequently be purged.

Remediation

NOTE: Once enabled, purge protection cannot be disabled.

Remediate from Azure Portal

  1. Go to Key Vaults.
  2. Click the name of a key vault.
  3. Under Settings, click Properties.
  4. Select the radio button next to Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects).
  5. Click Save.
  6. Repeat steps 1-5 for each key vault requiring remediation.

Remediate from Azure CLI

For each key vault requiring remediation, run the following command to enable purge protection:

az resource update --resource-group <resource-group> --name <key-vault> --resource-type "Microsoft.KeyVault/vaults" --set properties.enablePurgeProtection=true

Remediate from PowerShell

For each key vault requiring remediation, run the following command to enable purge protection:

Update-AzKeyVault -ResourceGroupName <resource-group> -VaultName <key-vault> -EnablePurgeProtection

Default Value

Purge protection is disabled by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_8_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_8_3_5 --share

SQL

This control uses a named query:

select
  kv.id as resource,
  case
    when purge_protection_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when purge_protection_enabled then name || ' purge protection enabled.'
    else name || ' purge protection disabled.'
  end as reason
  
  , kv.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault as kv
  left join azure_subscription as sub on sub.subscription_id = kv.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 8.3.5
cis_level = 1
cis_section_id = 8.3
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/KeyVault