No Purge | Vulnerability Database

Key vault should have purge protection enabled

Purge protection is an optional Key Vault behavior and is not enabled by default.

Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable purge protection for key vaults

1
2
3
4
5
6
7


resource "azurerm_key_vault" "good_example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.good_example.location
  enabled_for_disk_encryption = true
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled