More Info:
Ensure that production Azure Key Vaults are recoverable in order to prevent permanent deletion/purging of encryption keys, secrets and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both “Soft Delete” and “Do Not Purge” features.Risk Level
MediumAddress
SecurityCompliance Standards
CISAZURE, CBP, ISO27001, SOC2, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to enable Key Vault Recoverability in Azure using the Azure console:
- Log in to the Azure portal (https://portal.azure.com).
- Navigate to the Key Vault that needs to be remediated.
- Click on the “Properties” tab.
- Scroll down to the “Soft delete” section and click on the “Configure” button.
- In the “Soft delete” blade, toggle the “Recoverable” switch to the “On” position.
- Set the “Retention period” to the desired number of days.
- Click on the “Save” button to save the changes.
- Once the changes are saved, the Key Vault will have recoverability enabled.
Using CLI
Using CLI
To enable Key Vault Recoverability in AZURE using AZURE CLI, follow these steps:That’s it! You have now enabled Key Vault Recoverability for your AZURE Key Vault.
- Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
- Login to your AZURE account using the following command:
- Once you are logged in, set the subscription where your Key Vault is located using the following command:
- Next, enable soft delete for the Key Vault using the following command:
- Finally, enable purge protection for the Key Vault using the following command:
Using Python
Using Python
To enable Key Vault Recoverability in Azure using Python, follow these steps:
-
First, you need to install the
azure-mgmt-keyvault
package. You can do this by running the following command: -
Next, you need to authenticate with Azure. You can do this by creating a
ServicePrincipalCredentials
object and passing in your Azure credentials: -
Once you’re authenticated, you can create a
KeyVaultManagementClient
object and use it to enable recoverability:This code will enable both soft delete and purge protection for the specified Key Vault. -
Finally, you can verify that recoverability has been enabled by checking the
enable_soft_delete
andenable_purge_protection
properties of the vault: