Key Vault Not Recoverable
- Query id: 7c25f361-7c66-44bf-9b69-022acd5eb4bd
- Query name: Key Vault Not Recoverable
- Platform: AzureResourceManager
- Severity: High
- Category: Backup
- URL: Github
Description¶
Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 5 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_pgs_bot_prod_name')]",
"location": "westeurope",
"tags": {
"ProjectCodeBU": "UKMUMD",
"ApplicationName": "PGS HR Chatbot",
"ProjectCodePGDS": "PRJ0024896",
"CostCentreBU": "UKMUMD",
"DataClassification": "General",
"BusinessUnit": "PGS",
"Owner": "Pru UK Andover Innovation Team",
"Contact": "andover2@prudential.co.uk",
"CostCentrePGDS": "ITBUEXP",
"Criticality": "Low"
},
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"accessPolicies": [
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "f3e7baf5-8d66-4fb2-b7aa-7b7484309df6",
"permissions": {
"keys": [
"Get",
"Create",
"Delete",
"List",
"Update",
"Import",
"Backup",
"Restore",
"Recover"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover"
],
"certificates": [
"Get",
"Delete",
"List",
"Create",
"Import",
"Update",
"DeleteIssuers",
"GetIssuers",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"SetIssuers"
],
"storage": [
"delete",
"deletesas",
"get",
"getsas",
"list",
"listsas",
"regeneratekey",
"set",
"setsas",
"update"
]
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "1033a977-ffdc-4359-869a-b673d075f128",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "13be5d2d-6e1f-4667-add4-02d2d1142ac5",
"permissions": {
"keys": [],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover",
"Purge"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "e56a2de8-a788-415f-b10f-14bfd3000e1d",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"Decrypt",
"Encrypt",
"UnwrapKey",
"WrapKey",
"Verify",
"Sign",
"Purge"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore",
"Purge"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers",
"Purge"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false
}
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}