MEDIUM
Source
Trivy
ID
AVD-AZU-0016

Key vault should have purge protection enabled

Purge protection is an optional Key Vault behavior and is not enabled by default.

Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.

Impact

Keys could be purged from the vault without protection

Follow the appropriate remediation steps below to resolve the issue.

Enable purge protection for key vaults

1
2
3
4
5
6
7
8
 resource "azurerm_key_vault" "good_example" {
     name                        = "examplekeyvault"
     location                    = azurerm_resource_group.good_example.location
     enabled_for_disk_encryption = true
     soft_delete_retention_days  = 7
     purge_protection_enabled    = true
 }