Key Vault Not Recoverable

  • Query id: 7c25f361-7c66-44bf-9b69-022acd5eb4bd
  • Query name: Key Vault Not Recoverable
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Backup
  • URL: Github

Description

Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Postitive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true,
        "enablePurgeProtection": false
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Postitive test num. 3 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}

Postitive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true,
            "enablePurgeProtection": false
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true,
        "enablePurgeProtection": true
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true,
            "enablePurgeProtection": true
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}