Key Vault has soft delete and purge protection enabled
keyvault_recoverable
Azure Key Vault recoverability requires both enable_soft_delete and enable_purge_protection. With these enabled, vault objects remain recoverable after deletion and cannot be permanently purged during the retention period.
Risk
Absent these protections, deleted vaults or objects can be permanently removed, cutting access to keys, secrets, and certificates. This can render data unreadable, break app authentication, and halt signing/verification, degrading availability and integrity. Malicious insiders can purge to block recovery.
prowler azure --checks keyvault_recoverable
Recommendation
Enable both enable_soft_delete and enable_purge_protection on all vaults. Enforce with policy, restrict purge/recover to least privilege and apply separation of duties. Keep backups and test recovery. Monitor delete/purge with alerts. Adjust retention to business needs to strengthen defense in depth.
Remediation
az keyvault update -g <resourceGroupName> -n <keyVaultName> --enable-soft-delete true --enable-purge-protection true
- In Azure Portal, go to Key vaults and open <keyVaultName>
- Select Properties > Recovery
- Turn on Soft delete and Purge protection
- Click Save
Source Code
Resource Type
microsoft.keyvault/vaults