AZ-016 Microsoft Azure

Key Vaults have soft-delete and purge protection enabled.

Key Vaults have soft-delete and purge protection enabled.

Domain
Microsoft Azure
Area
Key Vault
Automated / manual
Automated

Risk if it fails

Keys/secrets can be permanently destroyed.

Without purge protection an attacker can permanently delete the keys that decrypt your data — destroying both the data's usability and your backups' usability at once.

How Tess tests it

1 test — each concludes only on cited evidence.

Key Vaults have soft-delete and purge protection enabled.

Automated
Procedure
Confirm enableSoftDelete and enablePurgeProtection are true.

Read-only command 

az keyvault list --query '[].{Name:name,Soft:properties.enableSoftDelete,Purge:properties.enablePurgeProtection}' -o table

More in Microsoft Azure

AZ-001 MFA is enforced for all users, especially privileged roles. AZ-002 Number of Global Administrators is limited (typically 2-4). AZ-003 Privileged Identity Management (PIM) provides just-in-time elevation. AZ-004 Legacy/basic authentication is blocked.

Want Tess to test AZ-016 against your evidence?

Book a demo