Aqua CSPM

Key Vault Recovery Enabled

Quick Info

Plugin TitleKey Vault Recovery Enabled
CloudAZURE
CategoryKey Vault
DescriptionEnsures that Purge Protection and Soft Delete are enabled on all Key Vaults.
More InfoPurge Protection and Soft Delete are features that safeguard losing key access. With these setting enabled, key vaults have recovery actions available to restore deleted or compromised key vaults.
AZURE Linkhttps://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete
Recommended Action1. Login to the Azure CLI. 2. Use the command and change vaultname to the vault to enable Soft Delete: ‘az resource update –id $(az keyvault show –name vaultname -o tsv

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for “Key vault”.
  3. Key Vault “Purge Protection and Soft Delete” feture cannot be checked or enable using the console. Need to use either PowerShell or Azure CLI to make the changes.
  4. Paste the URL “https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest#code-try-0" and hit enter.
  5. Type the command “az login” to get into the Azure CLI.
  6. Visit the URL “https://microsoft.com/devicelogin" and enter the code shown in the Azure CLI.
  7. Once you are into the “Azure CLI”, check the screenshot accordingly.
  8. To verify that a key vault has soft-delete enabled, run the show command and look for the “Soft Delete Enabled?” attribute as shown in the screenshot.If the “Soft-Delete” and “Purge Protection” value is false then the “Soft Delete” as well as “Purge Protection” is not enabled.
  9. For enabling “Soft Delete” use the command as ‘az keyvault show –name vaultname -o tsv | awk ‘{print $1}') –set properties.enableSoftDelete=true’.” Make sure to replace vaultname to Key vault you are using.
  10. For enabling “Purge Protection” use the command as ‘az resource update –id $(az keyvault show –name vaultname -o tsv | awk ‘{print $1}') –set properties.enablePurgeProtection=true’.Make sure to replace vaultname to Key vault you are using.
  11. Repeat steps number 2 - 10 to enable “Key Vault Recovery” option.