rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-recoverable.json
|
{
"args": [ ], "provider": "Azure", "serviceType": "Azure KeyVault", "serviceName": "Storage", "displayName": "Ensure the key vault is recoverable", "description":' The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. *NOTE*: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete. *WARNING*: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery. ', "rationale": "There could be scenarios where users accidently run delete/purge commands on key vault or attacker/malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 key vault properties that plays role in permanent unavailability of a key vault.\r\n\t\t\t\t\t1. enableSoftDelete:\r\n\t\t\t\t\tSetting this parameter to true for a key vault ensures that even if key vault is deleted, Key vault itself or its objects remain recoverable for next 90days. In this span of 90 days either key vault/objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days key vault and its objects will be purged.\r\n\t\t\t\t\t2. enablePurgeProtection:\r\n\t\t\t\t\tenableSoftDelete only ensures that key vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are chances that the key vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to \"true\" ensures that the key vault and its objects cannot be purged.\r\n\t\t\t\t\tEnabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.", "impact": "Once purge-protection and soft-delete is enabled for a key vault, the action is irreversible.", "remediation": { "text": "To enable \"Do Not Purge\" and \"Soft Delete\" for a Key Vault:\r\n\t\t\t\t\t###### From Azure Portal\r\n\t\t\t\t\tAzure Portal does not have provision to update the respective configurations\r\n\t\t\t\t\t###### Using Azure CLI 2.0\r\n\t\t\t\t\t```\r\n\t\t\t\t\taz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/\u003cresourceGroupName\u003e/providers/Microsoft.KeyVault/vaults/\u003ckeyVaultName\u003e --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\r\n\t\t\t\t\t```", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "3.3.5", "profile":"Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "az_keyvault", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "protection.softDeleteEnabled", "eq", "false" ], [ "protection.enablePurgeProtection", "eq", "false" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "Location", "properties.vaultUri": "URI", "properties.enableSoftDelete": "SoftDelete Enabled", "properties.enablePurgeProtection": "Purge Protection Enabled" }, "expandObject": null }, "table": "asList", "decorate": [ ], "emphasis": [ "SoftDelete Enabled", "Purge Protection Enabled" ], "actions": { "objectData": { "properties": [ ], "expandObject": null, "limit": null }, "showGoToButton": null, "showModalButton": null, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "azure_key_vault_recoverable_disabled", "notes": [ ], "categories": [ ] } |