Skip to content

BoostSecurity

azure-vault-purge-protection

azure-vault-purge-protection¶

Ensure that key vault enables purge protection

Enabling Purge Protection ensures that any accidental or malicious deletion of the Azure Key Vault or Vault Objects within a specific amount of days, thus ensuring a faster recovery. Purge Protection works in conjunction with Soft Delete and is an additional layer of security requiring additional access policies.

Examples¶

Insecure Example

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = false
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 90
  purge_protection_enabled    = false  # (default value is false)

  sku_name = "standard"

  network_acls {
    bypass = None
    default_action = Allow
  }
}

Secure Example

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = false
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 90
  purge_protection_enabled    = true

  sku_name = "standard"

  network_acls {
    bypass = None
    default_action = Allow
  }
}

More information¶