Key Vault Not Recoverable

  • Query id: 7c25f361-7c66-44bf-9b69-022acd5eb4bd
  • Query name: Key Vault Not Recoverable
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Backup
  • URL: Github

Description

Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true,
        "enablePurgeProtection": false
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Positive test num. 3 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}

Positive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true,
            "enablePurgeProtection": false
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}
Positive test num. 5 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "name": "[parameters('vaults_pgs_bot_prod_name')]",
      "location": "westeurope",
      "tags": {
        "ProjectCodeBU": "UKMUMD",
        "ApplicationName": "PGS HR Chatbot",
        "ProjectCodePGDS": "PRJ0024896",
        "CostCentreBU": "UKMUMD",
        "DataClassification": "General",
        "BusinessUnit": "PGS",
        "Owner": "Pru UK Andover Innovation Team",
        "Contact": "andover2@prudential.co.uk",
        "CostCentrePGDS": "ITBUEXP",
        "Criticality": "Low"
      },
      "properties": {
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
        "accessPolicies": [
          {
            "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
            "objectId": "f3e7baf5-8d66-4fb2-b7aa-7b7484309df6",
            "permissions": {
              "keys": [
                "Get",
                "Create",
                "Delete",
                "List",
                "Update",
                "Import",
                "Backup",
                "Restore",
                "Recover"
              ],
              "secrets": [
                "Get",
                "List",
                "Set",
                "Delete",
                "Backup",
                "Restore",
                "Recover"
              ],
              "certificates": [
                "Get",
                "Delete",
                "List",
                "Create",
                "Import",
                "Update",
                "DeleteIssuers",
                "GetIssuers",
                "ListIssuers",
                "ManageContacts",
                "ManageIssuers",
                "SetIssuers"
              ],
              "storage": [
                "delete",
                "deletesas",
                "get",
                "getsas",
                "list",
                "listsas",
                "regeneratekey",
                "set",
                "setsas",
                "update"
              ]
            }
          },
          {
            "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
            "objectId": "1033a977-ffdc-4359-869a-b673d075f128",
            "permissions": {
              "keys": [],
              "secrets": [
                "Get"
              ],
              "certificates": [],
              "storage": []
            }
          },
          {
            "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
            "objectId": "13be5d2d-6e1f-4667-add4-02d2d1142ac5",
            "permissions": {
              "keys": [],
              "secrets": [
                "Get",
                "List",
                "Set",
                "Delete",
                "Backup",
                "Restore",
                "Recover",
                "Purge"
              ],
              "certificates": [],
              "storage": []
            }
          },
          {
            "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
            "objectId": "e56a2de8-a788-415f-b10f-14bfd3000e1d",
            "permissions": {
              "keys": [
                "Get",
                "List",
                "Update",
                "Create",
                "Import",
                "Delete",
                "Recover",
                "Backup",
                "Restore",
                "Decrypt",
                "Encrypt",
                "UnwrapKey",
                "WrapKey",
                "Verify",
                "Sign",
                "Purge"
              ],
              "secrets": [
                "Get",
                "List",
                "Set",
                "Delete",
                "Recover",
                "Backup",
                "Restore",
                "Purge"
              ],
              "certificates": [
                "Get",
                "List",
                "Update",
                "Create",
                "Import",
                "Delete",
                "Recover",
                "Backup",
                "Restore",
                "ManageContacts",
                "ManageIssuers",
                "GetIssuers",
                "ListIssuers",
                "SetIssuers",
                "DeleteIssuers",
                "Purge"
              ]
            }
          }
        ],
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false
      }
    }
  ]
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "keyVaultInstance",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "location": "location",
      "tags": {},
      "properties": {
        "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "objectId": "99998888-8666-4144-9199-2d7cd0111111",
            "permissions": {
              "keys": [
                "encrypt"
              ]
            }
          }
        ],
        "vaultUri": "string",
        "enabledForDeployment": true,
        "enabledForDiskEncryption": true,
        "enabledForTemplateDeployment": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 80,
        "enableRbacAuthorization": true,
        "enablePurgeProtection": true
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "keyVaultInstance",
          "type": "Microsoft.KeyVault/vaults",
          "apiVersion": "2019-09-01",
          "location": "location",
          "tags": {},
          "properties": {
            "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
            "sku": {
              "family": "A",
              "name": "standard"
            },
            "accessPolicies": [
              {
                "tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
                "objectId": "99998888-8666-4144-9199-2d7cd0111111",
                "permissions": {
                  "keys": [
                    "encrypt"
                  ]
                }
              }
            ],
            "vaultUri": "string",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true,
            "enableSoftDelete": true,
            "softDeleteRetentionInDays": 80,
            "enableRbacAuthorization": true,
            "enablePurgeProtection": true
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}