Azure Key Vaults

Key Vault Recovery Disabled

Risk Level: Medium

Description

The plugin checks that Purge protection and Soft Delete on all Key Vaults are enabled. In case of losing access to keys, purge protection and soft delete help in reaccessing of keys.

About the Service

Key Vaults: Azure provides a facility to store and manage sensitive data such as certificates, user ids and passwords through key vaults service. The keys are embedded in the URL which reduces the accidental or intentional exposure of the keys. 

Impact

In case purge protection and soft delete are not enabled, in case of loss of any vault key, recovery of the particular vault key will not be possible, leading to loss of the sensitive data and other information the key was holding.

Steps to Reproduce

  1. Log in to the Azure portal.
  2. Click on Key vaults under Services or type “Key vaults” in the search box.
  3. Select a vault to check for the issue.
  4. From the navigation bar, go to the Settings section, click on Properties.
  5. In front of Purge Protection, if the value is set to “Disable purge protection (allow key vault and objects to be purged during retention period)”, visit the Steps for Remediation section.
  6. Repeat for other vaults as well.

Steps for Remediation

  1. Log in to the Azure portal.
  2. Click on Key vaults under Services or type “Key vaults” in the search box.
  3. Select a vault to check for the issue.
  4. From the navigation bar, go to Settings section, click on Properties.
  5. In front of Purge Protection, set value to “Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects)”, visit steps to remediation section. Click on Save button given at the top and wait for the changes to get saved.
  6. Repeat for other vaults as well.

Please feel free to reach out to support@pingsafe.com with any questions that you may have.

Thanks

PingSafe Support