Need

Implementation of safeguards for accidental or malicious deletion of secrets in Azure Key Vault

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of azurerm for managing resources in Microsoft Azure
• Usage of the "var" keyword for declaring variables in JavaScript

Description

Non compliant code

        resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = "westus"
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = var.tenant_id
  sku_name                    = "standard"
  soft_delete_retention_days  = 0
  purge_protection_enabled    = false
}
        
        

This Terraform code creates an instance of Azure Key Vault with the name 'examplekeyvault' in the 'westus' location and within the resource group specified.

However, the code is vulnerable due to the lack of protection against deletion. This is indicated by the following two properties:

1. soft_delete_retention_days = 0: This property is used to keep the deleted vaults for a specified number of days. Setting this value to 0 means that the vaults will not be retained after deletion.

2. purge_protection_enabled = false: This property is used to prevent vaults from being permanently deleted. When this property is set to false, it means that the vaults can be permanently deleted.

The lack of these protections means that in the event of accidental deletion or malicious actions, the secrets stored in the vault cannot be recovered, leading to potential data loss and security risks.

Steps

• Enable the properties EnableSoftDelete and EnablePurgeProtection in the Azure Key Vault instance.
• Set the value of soft_delete_retention_days to a non-zero value to enable soft delete for the Key Vault.
• Set the value of purge_protection_enabled to true to enable purge protection for the Key Vault.

Compliant code

        resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = "westus"
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = var.tenant_id
  sku_name                    = "standard"
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true
}
        
        

The updated code now includes two important properties: soft_delete_retention_days and purge_protection_enabled.

The soft_delete_retention_days property is set to 7. This means that when a key vault or any of its contents are deleted, they are retained for 7 days. During this period, the deleted object can be recovered. This is a crucial feature to prevent accidental deletion of secrets, keys, or certificates.

The purge_protection_enabled property is set to true. This means that once an object is deleted, it cannot be permanently purged until the retention period has passed. Even if an attacker gains access to the key vault, they cannot permanently delete its contents. This provides an additional layer of protection against malicious actions.

By enabling these properties, we can ensure that the Azure Key Vault instance is protected against accidental deletion and malicious actions.

References

• 412. Lack of protection against deletion - Azure Key Vault