Beta - Key Vault Purge Protection Is Enabled

• Query id: cec6e005-9309-46eb-b34b-456f6eae818b
• Query name: Beta - Key Vault Purge Protection Is Enabled
• Platform: Terraform
• Severity: High
• Category: Backup
• CWE: 530
• Risk score: 8.5
• URL: Github

Description

Deleting an Azure Key Vault without purge protection enabled can cause permanent loss of keys, secrets, and certificates, leading to unrecoverable data loss and disruption of dependent services.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_key_vault" "positive1" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name = "standard"
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
}

Positive test num. 2 - tf file

resource "azurerm_key_vault" "positive2" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name = "standard"
  soft_delete_retention_days  = 7
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_key_vault" "negative1" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name = "standard"
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true
}