Cyscale
Back to controls

Ensure Key Vaults are Recoverable

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

Category

Controls

High

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

It is recommended that the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This prevents the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates), etc. This may happen in the case of accidental deletion by a user or disruptive activity by a malicious user.

NOTE: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users can no longer opt out of or turn off soft-delete.

WARNING: A current limitation is that role assignments disappear when the Key Vault is deleted. After recovery, all role assignments will need to be recreated.

Rationale

There could be scenarios where users accidentally run delete/purge commands on Key Vault, or an attacker/malicious user deliberately does so to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.

There is a Key Vault property that plays a role in permanent unavailability of a Key Vault:

enablePurgeProtection: Setting this parameter to "true" for a Key Vault ensures that even if the Key Vault is deleted, the Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can be recovered or purged (permanently deleted) during those 90 days. If no action is taken, the key vault and its objects will subsequently be purged.

Enabling the enablePurgeProtection parameter on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.

Impact

Once purge protection and soft delete are enabled for a Key Vault, the action is irreversible.

Default Value

When a new Key Vault is created,

  • enableSoftDelete is enabled by default, and
  • enablePurgeProtection is disabled by default.

References

  1. https://learn.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli
  2. https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/
  3. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository

Additional Information

When a key is used for SQL server TDE or Encrypting Storage Account, the features "Do Not Purge" and "Soft Delete" are enabled by default by the Azure Backend for the corresponding Key Vault.

WARNING: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when Key Vault is deleted. After recovery, all role assignments will need to be recreated.

Remediation guidance

From Azure Portal

  1. Open the Key Vault using the Open in Azure button.
  2. Ensure that the status of Soft-delete is Soft delete has been enabled on this key vault
  3. For Purge protection, select Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects)

Using Azure CLI

az resource update --id <resourceID> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

Using Azure PowerShell

Update-AzKeyVault -VaultName <vaultName> -ResourceGroupName <resourceGroupName> -EnablePurgeProtection

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

The key vault is recoverable

Connectors

Microsoft Azure

Covered asset types

KMSVault

Expected check: eq []

{
  kmsVaults(
    where: 
    { 
      OR: [ 
        {enableSoftDelete_NOT: true } 
        {enablePurgeProtection_NOT: true } 
      ]  }
    ) {...AssetFragment}
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon