Forum Discussion

nirmalmcse02's avatar
nirmalmcse02
Copper Contributor
Jan 27, 2021
Solved

Azure Policy for Key Vault Soft Delete Retention

Hi All,   Is there any Custom Azure Policy which we can use to enforce Azure Key vault Soft deletion retention period as per our Requirement.  By default its 90 days but we want to set as 10 for al...
  • ibnmbodji's avatar
    ibnmbodji
    Jan 29, 2021

    nirmalmcse02 

     

    There is no  builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or  Arm or another Infra as Code tool) . 

    By doing that  you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied . 

     

ChrisBradshaw's avatar
ChrisBradshaw
Iron Contributor
Jan 28, 2021

nirmalmcse02 

Based on the portal, I don't think you can change that retention period after Soft-Delete has been turned on, which now happens at creation time. This means a policy wouldn't be able to remediate an existing Vault with Soft Delete already active.

 

However, if you were looking for a policy that enforced this at time of creation that should be possible with a custom policy. Duplicating the policy "Key vaults should have soft delete enabled" would be a good starting point, and then alongside the existing test for "Microsoft.KeyVault/vaults/enableSoftDelete" add an entry to make sure "Microsoft.KeyVault/vaults/softDeleteRetentionInDays" is set to your chosen value of 10.

 

https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults  has some details around the template settings you can check for. https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition  has a guide on creating a custom policy if you haven't jumped into that before.

ChrisBradshaw's avatar
ChrisBradshaw
Iron Contributor
Jan 29, 2021

@nirmalmcse02 I've done a quick test and can confirm this works. The custom policy, when assigned and set to "Deny" will stop Vaults being created without the Soft Delete retention being set to 10 days.

Here's the "policyRule" section of my test custom policy- based on the "Key vaults should have soft delete enabled" policy.

 

 

 

"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "equals": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays",
                "notEquals": 10
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }