Key Vault Recoverability should be enabled

More Info:

Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both “Soft Delete” and “Do Not Purge” features.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, ISO27001, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To enable Key Vault Recoverability in AZURE using AZURE CLI, follow these steps:

Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
Login to your AZURE account using the following command:

az login

Once you are logged in, set the subscription where your Key Vault is located using the following command:

az account set --subscription <subscription_id>

Next, enable soft delete for the Key Vault using the following command:

az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-soft-delete true

Finally, enable purge protection for the Key Vault using the following command:

az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-purge-protection true

That’s it! You have now enabled Key Vault Recoverability for your AZURE Key Vault.

Using Python

To enable Key Vault Recoverability in Azure using Python, follow these steps:

First, you need to install the azure-mgmt-keyvault package. You can do this by running the following command:
```
pip install azure-mgmt-keyvault
```

Next, you need to authenticate with Azure. You can do this by creating a ServicePrincipalCredentials object and passing in your Azure credentials:

from azure.common.credentials import ServicePrincipalCredentials

credentials = ServicePrincipalCredentials(
    client_id='<your-client-id>',
    secret='<your-client-secret>',
    tenant='<your-tenant-id>'
)

Once you’re authenticated, you can create a KeyVaultManagementClient object and use it to enable recoverability:

from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, VaultProperties, Sku, SkuName, AccessPolicyEntry, Permissions, SecretPermissions, StoragePermissions

# Create the KeyVaultManagementClient object
client = KeyVaultManagementClient(credentials, '<your-subscription-id>')

# Get the resource group and vault names
resource_group_name = '<your-resource-group-name>'
vault_name = '<your-vault-name>'

# Get the existing vault properties
vault = client.vaults.get(resource_group_name, vault_name)

# Enable recoverability
vault.properties.enable_soft_delete = True
vault.properties.enable_purge_protection = True

# Update the vault
parameters = VaultCreateOrUpdateParameters(
    location=vault.location,
    properties=vault.properties,
    sku=Sku(name=SkuName.standard)
)
client.vaults.create_or_update(resource_group_name, vault_name, parameters)

This code will enable both soft delete and purge protection for the specified Key Vault.

Finally, you can verify that recoverability has been enabled by checking the enable_soft_delete and enable_purge_protection properties of the vault:

# Get the updated vault properties
vault = client.vaults.get(resource_group_name, vault_name)

# Check that recoverability is enabled
if vault.properties.enable_soft_delete and vault.properties.enable_purge_protection:
    print('Recoverability has been enabled for the Key Vault')
else:
    print('Failed to enable recoverability for the Key Vault')

And that’s it! You have successfully enabled Key Vault Recoverability in Azure using Python.

Additional Reading:

https://docs.microsoft.com/en-us/azure/key-vault/basic-concepts

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Key Vault Recoverability should be enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: