More Info:

Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both “Soft Delete” and “Do Not Purge” features.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, ISO27001, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to enable Key Vault Recoverability in Azure using the Azure console:
  1. Log in to the Azure portal (https://portal.azure.com).
  2. Navigate to the Key Vault that needs to be remediated.
  3. Click on the “Properties” tab.
  4. Scroll down to the “Soft delete” section and click on the “Configure” button.
  5. In the “Soft delete” blade, toggle the “Recoverable” switch to the “On” position.
  6. Set the “Retention period” to the desired number of days.
  7. Click on the “Save” button to save the changes.
  8. Once the changes are saved, the Key Vault will have recoverability enabled.
That’s it! You have successfully remediated the misconfiguration of Key Vault Recoverability in Azure using the Azure console.

To enable Key Vault Recoverability in AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
  2. Login to your AZURE account using the following command:
az login
  1. Once you are logged in, set the subscription where your Key Vault is located using the following command:
az account set --subscription <subscription_id>
  1. Next, enable soft delete for the Key Vault using the following command:
az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-soft-delete true
  1. Finally, enable purge protection for the Key Vault using the following command:
az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-purge-protection true
That’s it! You have now enabled Key Vault Recoverability for your AZURE Key Vault.
To enable Key Vault Recoverability in Azure using Python, follow these steps:
  1. First, you need to install the azure-mgmt-keyvault package. You can do this by running the following command:
    pip install azure-mgmt-keyvault
    
  2. Next, you need to authenticate with Azure. You can do this by creating a ServicePrincipalCredentials object and passing in your Azure credentials:
    from azure.common.credentials import ServicePrincipalCredentials
    
    credentials = ServicePrincipalCredentials(
        client_id='<your-client-id>',
        secret='<your-client-secret>',
        tenant='<your-tenant-id>'
    )
    
  3. Once you’re authenticated, you can create a KeyVaultManagementClient object and use it to enable recoverability:
    from azure.mgmt.keyvault import KeyVaultManagementClient
    from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, VaultProperties, Sku, SkuName, AccessPolicyEntry, Permissions, SecretPermissions, StoragePermissions
    
    # Create the KeyVaultManagementClient object
    client = KeyVaultManagementClient(credentials, '<your-subscription-id>')
    
    # Get the resource group and vault names
    resource_group_name = '<your-resource-group-name>'
    vault_name = '<your-vault-name>'
    
    # Get the existing vault properties
    vault = client.vaults.get(resource_group_name, vault_name)
    
    # Enable recoverability
    vault.properties.enable_soft_delete = True
    vault.properties.enable_purge_protection = True
    
    # Update the vault
    parameters = VaultCreateOrUpdateParameters(
        location=vault.location,
        properties=vault.properties,
        sku=Sku(name=SkuName.standard)
    )
    client.vaults.create_or_update(resource_group_name, vault_name, parameters)
    
    This code will enable both soft delete and purge protection for the specified Key Vault.
  4. Finally, you can verify that recoverability has been enabled by checking the enable_soft_delete and enable_purge_protection properties of the vault:
    # Get the updated vault properties
    vault = client.vaults.get(resource_group_name, vault_name)
    
    # Check that recoverability is enabled
    if vault.properties.enable_soft_delete and vault.properties.enable_purge_protection:
        print('Recoverability has been enabled for the Key Vault')
    else:
        print('Failed to enable recoverability for the Key Vault')
    
And that’s it! You have successfully enabled Key Vault Recoverability in Azure using Python.

Additional Reading: