Policy: Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable

Configures auditing against a CIS Benchmark item.

Level: 1

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

NOTE: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete.

WARNING: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.

There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.

There is a Key Vault property that plays a role in permanent unavailability of a Key Vault: enablePurgeProtection: Setting this parameter to "true" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, the key vault and its objects will subsequently be purged.

Enabling the enablePurgeProtection parameter on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.

Targets

This policy targets the following resource types:

Azure > Key Vault > Vault

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault

Controls

Setting this policy configures this control:

Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v3.0 > 03 - Security`
Valid Values [YAML]	`Per Azure > CIS v3.0 > 03 - Security` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071002

Policy Type URI

tmod:@turbot/azure-cisv3-0#/policy/types/r030305

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r030305") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030305'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030305'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r030305"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r030305"

Policy: Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable

Schema Type

string

Default

Per Azure > CIS v3.0 > 03 - Security

Valid Values [YAML]

Per Azure > CIS v3.0 > 03 - Security

Skip

Check: Benchmark using attestation