Azure Introduction
Azure Pricing
Azure Threats
Key Vault Recoverability should be enabled
More Info:
Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both “Soft Delete” and “Do Not Purge” features.
Risk Level
Medium
Address
Security
Compliance Standards
CISAZURE, CBP, ISO27001, SOC2, NISTCSF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to enable Key Vault Recoverability in Azure using the Azure console:
-
Log in to the Azure portal (https://portal.azure.com).
-
Navigate to the Key Vault that needs to be remediated.
-
Click on the “Properties” tab.
-
Scroll down to the “Soft delete” section and click on the “Configure” button.
-
In the “Soft delete” blade, toggle the “Recoverable” switch to the “On” position.
-
Set the “Retention period” to the desired number of days.
-
Click on the “Save” button to save the changes.
-
Once the changes are saved, the Key Vault will have recoverability enabled.
That’s it! You have successfully remediated the misconfiguration of Key Vault Recoverability in Azure using the Azure console.
To enable Key Vault Recoverability in AZURE using AZURE CLI, follow these steps:
-
Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
-
Login to your AZURE account using the following command:
az login
- Once you are logged in, set the subscription where your Key Vault is located using the following command:
az account set --subscription <subscription_id>
- Next, enable soft delete for the Key Vault using the following command:
az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-soft-delete true
- Finally, enable purge protection for the Key Vault using the following command:
az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-purge-protection true
That’s it! You have now enabled Key Vault Recoverability for your AZURE Key Vault.
To enable Key Vault Recoverability in Azure using Python, follow these steps:
-
First, you need to install the
azure-mgmt-keyvaultpackage. You can do this by running the following command:pip install azure-mgmt-keyvault -
Next, you need to authenticate with Azure. You can do this by creating a
ServicePrincipalCredentialsobject and passing in your Azure credentials:from azure.common.credentials import ServicePrincipalCredentials credentials = ServicePrincipalCredentials( client_id='<your-client-id>', secret='<your-client-secret>', tenant='<your-tenant-id>' ) -
Once you’re authenticated, you can create a
KeyVaultManagementClientobject and use it to enable recoverability:from azure.mgmt.keyvault import KeyVaultManagementClient from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, VaultProperties, Sku, SkuName, AccessPolicyEntry, Permissions, SecretPermissions, StoragePermissions # Create the KeyVaultManagementClient object client = KeyVaultManagementClient(credentials, '<your-subscription-id>') # Get the resource group and vault names resource_group_name = '<your-resource-group-name>' vault_name = '<your-vault-name>' # Get the existing vault properties vault = client.vaults.get(resource_group_name, vault_name) # Enable recoverability vault.properties.enable_soft_delete = True vault.properties.enable_purge_protection = True # Update the vault parameters = VaultCreateOrUpdateParameters( location=vault.location, properties=vault.properties, sku=Sku(name=SkuName.standard) ) client.vaults.create_or_update(resource_group_name, vault_name, parameters)This code will enable both soft delete and purge protection for the specified Key Vault.
-
Finally, you can verify that recoverability has been enabled by checking the
enable_soft_deleteandenable_purge_protectionproperties of the vault:# Get the updated vault properties vault = client.vaults.get(resource_group_name, vault_name) # Check that recoverability is enabled if vault.properties.enable_soft_delete and vault.properties.enable_purge_protection: print('Recoverability has been enabled for the Key Vault') else: print('Failed to enable recoverability for the Key Vault')
And that’s it! You have successfully enabled Key Vault Recoverability in Azure using Python.