Key Vault Not Recoverable
- Query id: 7c25f361-7c66-44bf-9b69-022acd5eb4bd
- Query name: Key Vault Not Recoverable
- Platform: AzureResourceManager
- Severity: High
- Category: Backup
- URL: Github
Description¶
Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
}
Postitive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
}
Postitive test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Postitive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}