Key vaults should have purge protection enabled #327
Labels
draft
Issues that are being authored, not ready for adding to a release.
NIST Policy
Issues related NIST 800-53 compliance
Comments
brooke-hamilton
changed the title
brooke-hamilton
added
draft
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Benefit/Result/Outcome
Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.
Description
Terraform azurerm allows for setting purge protection.
resource "azurerm_key_vault" "jumpbox-keyvault" {
name = format("%.24s", lower(replace("${var.keyvault_name}${random_id.jumpbox-keyvault.id}", "/[[:^alnum:]]/", "")))
location = var.location
resource_group_name = var.resource_group_name
tenant_id = var.tenant_id
soft_delete_retention_days = 90
sku_name = "standard" # 'standard' or 'premium' case sensitive
purge_protection_enabled = true
Acceptance Criteria
The text was updated successfully, but these errors were encountered: