SOLVED

Azure Policy for Key Vault Soft Delete Retention

Occasional Contributor

Hi All,

 

Is there any Custom Azure Policy which we can use to enforce Azure Key vault Soft deletion retention period as per our Requirement.  By default its 90 days but we want to set as 10 for all of key vault. 

 

 

3 Replies

@nirmalmcse02 

Based on the portal, I don't think you can change that retention period after Soft-Delete has been turned on, which now happens at creation time. This means a policy wouldn't be able to remediate an existing Vault with Soft Delete already active.

 

However, if you were looking for a policy that enforced this at time of creation that should be possible with a custom policy. Duplicating the policy "Key vaults should have soft delete enabled" would be a good starting point, and then alongside the existing test for "Microsoft.KeyVault/vaults/enableSoftDelete" add an entry to make sure "Microsoft.KeyVault/vaults/softDeleteRetentionInDays" is set to your chosen value of 10.

 

https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults  has some details around the template settings you can check for. https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition  has a guide on creating a custom policy if you haven't jumped into that before.

@nirmalmcse02 I've done a quick test and can confirm this works. The custom policy, when assigned and set to "Deny" will stop Vaults being created without the Soft Delete retention being set to 10 days.

Here's the "policyRule" section of my test custom policy- based on the "Key vaults should have soft delete enabled" policy.

 

 

 

"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "equals": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays",
                "notEquals": 10
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }

 

 

best response confirmed by nirmalmcse02 (Occasional Contributor)
Solution

@nirmalmcse02 

 

There is no  builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or  Arm or another Infra as Code tool) . 

By doing that  you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied .