Key Vault Not Recoverable
- Query id: 7c25f361-7c66-44bf-9b69-022acd5eb4bd
- Query name: Key Vault Not Recoverable
- Platform: AzureResourceManager
- Severity: High
- Category: Backup
- URL: Github
Description¶
Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
enablePurgeProtection: false
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 5 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
}
}
Positive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 7 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
enablePurgeProtection: false
}
}
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": false
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 9 - bicep file
param vaults_pgs_bot_prod_name int = 5
resource vaults_pgs_bot_prod_name_resource 'Microsoft.KeyVault/vaults@2016-10-01' = {
name: vaults_pgs_bot_prod_name
location: 'westeurope'
tags: {
ProjectCodeBU: 'UKMUMD'
ApplicationName: 'PGS HR Chatbot'
ProjectCodePGDS: 'PRJ0024896'
CostCentreBU: 'UKMUMD'
DataClassification: 'General'
BusinessUnit: 'PGS'
Owner: 'Pru UK Andover Innovation Team'
Contact: 'andover2@prudential.co.uk'
CostCentrePGDS: 'ITBUEXP'
Criticality: 'Low'
}
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: 'aa42167d-6f8d-45ce-b655-d245ef97da66'
accessPolicies: [
{
tenantId: 'aa42167d-6f8d-45ce-b655-d245ef97da66'
objectId: 'f3e7baf5-8d66-4fb2-b7aa-7b7484309df6'
permissions: {
keys: [
'Get'
'Create'
'Delete'
'List'
'Update'
'Import'
'Backup'
'Restore'
'Recover'
]
secrets: [
'Get'
'List'
'Set'
'Delete'
'Backup'
'Restore'
'Recover'
]
certificates: [
'Get'
'Delete'
'List'
'Create'
'Import'
'Update'
'DeleteIssuers'
'GetIssuers'
'ListIssuers'
'ManageContacts'
'ManageIssuers'
'SetIssuers'
]
storage: [
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'regeneratekey'
'set'
'setsas'
'update'
]
}
}
{
tenantId: 'aa42167d-6f8d-45ce-b655-d245ef97da66'
objectId: '1033a977-ffdc-4359-869a-b673d075f128'
permissions: {
keys: []
secrets: [
'Get'
]
certificates: []
storage: []
}
}
{
tenantId: 'aa42167d-6f8d-45ce-b655-d245ef97da66'
objectId: '13be5d2d-6e1f-4667-add4-02d2d1142ac5'
permissions: {
keys: []
secrets: [
'Get'
'List'
'Set'
'Delete'
'Backup'
'Restore'
'Recover'
'Purge'
]
certificates: []
storage: []
}
}
{
tenantId: 'aa42167d-6f8d-45ce-b655-d245ef97da66'
objectId: 'e56a2de8-a788-415f-b10f-14bfd3000e1d'
permissions: {
keys: [
'Get'
'List'
'Update'
'Create'
'Import'
'Delete'
'Recover'
'Backup'
'Restore'
'Decrypt'
'Encrypt'
'UnwrapKey'
'WrapKey'
'Verify'
'Sign'
'Purge'
]
secrets: [
'Get'
'List'
'Set'
'Delete'
'Recover'
'Backup'
'Restore'
'Purge'
]
certificates: [
'Get'
'List'
'Update'
'Create'
'Import'
'Delete'
'Recover'
'Backup'
'Restore'
'ManageContacts'
'ManageIssuers'
'GetIssuers'
'ListIssuers'
'SetIssuers'
'DeleteIssuers'
'Purge'
]
}
}
]
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
}
}
Positive test num. 10 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_pgs_bot_prod_name')]",
"location": "westeurope",
"tags": {
"ProjectCodeBU": "UKMUMD",
"ApplicationName": "PGS HR Chatbot",
"ProjectCodePGDS": "PRJ0024896",
"CostCentreBU": "UKMUMD",
"DataClassification": "General",
"BusinessUnit": "PGS",
"Owner": "Pru UK Andover Innovation Team",
"Contact": "andover2@prudential.co.uk",
"CostCentrePGDS": "ITBUEXP",
"Criticality": "Low"
},
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"accessPolicies": [
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "f3e7baf5-8d66-4fb2-b7aa-7b7484309df6",
"permissions": {
"keys": [
"Get",
"Create",
"Delete",
"List",
"Update",
"Import",
"Backup",
"Restore",
"Recover"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover"
],
"certificates": [
"Get",
"Delete",
"List",
"Create",
"Import",
"Update",
"DeleteIssuers",
"GetIssuers",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"SetIssuers"
],
"storage": [
"delete",
"deletesas",
"get",
"getsas",
"list",
"listsas",
"regeneratekey",
"set",
"setsas",
"update"
]
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "1033a977-ffdc-4359-869a-b673d075f128",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "13be5d2d-6e1f-4667-add4-02d2d1142ac5",
"permissions": {
"keys": [],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover",
"Purge"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "e56a2de8-a788-415f-b10f-14bfd3000e1d",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"Decrypt",
"Encrypt",
"UnwrapKey",
"WrapKey",
"Verify",
"Sign",
"Purge"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore",
"Purge"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers",
"Purge"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false
}
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
enablePurgeProtection: true
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
resource keyVaultInstance 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'keyVaultInstance'
location: 'location'
tags: {}
properties: {
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: '72f98888-8666-4144-9199-2d7cd0111111'
objectId: '99998888-8666-4144-9199-2d7cd0111111'
permissions: {
keys: ['encrypt']
}
}
]
vaultUri: 'string'
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
enableSoftDelete: true
softDeleteRetentionInDays: 80
enableRbacAuthorization: true
enablePurgeProtection: true
}
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVaultInstance",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "location",
"tags": {},
"properties": {
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "72f98888-8666-4144-9199-2d7cd0111111",
"objectId": "99998888-8666-4144-9199-2d7cd0111111",
"permissions": {
"keys": [
"encrypt"
]
}
}
],
"vaultUri": "string",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 80,
"enableRbacAuthorization": true,
"enablePurgeProtection": true
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}