cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Policy for Key Vault Soft Delete Retention

nirmalmcse02
Copper Contributor

‎Jan 27 2021 01:31 AM

‎Jan 27 2021 01:31 AM

Azure Policy for Key Vault Soft Delete Retention

Hi All,

 

Is there any Custom Azure Policy which we can use to enforce Azure Key vault Soft deletion retention period as per our Requirement.  By default its 90 days but we want to set as 10 for all of key vault. 

 

 

3,966 Views
0 Likes
3 Replies
Reply
3 Replies
Chris Bradshaw

‎Jan 28 2021 06:52 AM

‎Jan 28 2021 06:52 AM

Re: Azure Policy for Key Vault Soft Delete Retention

@nirmalmcse02 

Based on the portal, I don't think you can change that retention period after Soft-Delete has been turned on, which now happens at creation time. This means a policy wouldn't be able to remediate an existing Vault with Soft Delete already active.

 

However, if you were looking for a policy that enforced this at time of creation that should be possible with a custom policy. Duplicating the policy "Key vaults should have soft delete enabled" would be a good starting point, and then alongside the existing test for "Microsoft.KeyVault/vaults/enableSoftDelete" add an entry to make sure "Microsoft.KeyVault/vaults/softDeleteRetentionInDays" is set to your chosen value of 10.

 

https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults  has some details around the template settings you can check for. https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition  has a guide on creating a custom policy if you haven't jumped into that before.

0 Likes
Reply
Chris Bradshaw

‎Jan 29 2021 12:51 AM

‎Jan 29 2021 12:51 AM

Re: Azure Policy for Key Vault Soft Delete Retention

@nirmalmcse02 I've done a quick test and can confirm this works. The custom policy, when assigned and set to "Deny" will stop Vaults being created without the Soft Delete retention being set to 10 days.

Here's the "policyRule" section of my test custom policy- based on the "Key vaults should have soft delete enabled" policy.

 

 

 

"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "equals": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays",
                "notEquals": 10
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }

 

 

0 Likes
Reply
best response confirmed by nirmalmcse02 (Copper Contributor)
ibnmbodji

‎Jan 29 2021 03:49 AM

‎Jan 29 2021 03:49 AM

Solution

Re: Azure Policy for Key Vault Soft Delete Retention

@nirmalmcse02 

 

There is no  builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or  Arm or another Infra as Code tool) . 

By doing that  you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied . 

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by nirmalmcse02 (Copper Contributor)
ibnmbodji

‎Jan 29 2021 03:49 AM

‎Jan 29 2021 03:49 AM

Solution

Re: Azure Policy for Key Vault Soft Delete Retention

@nirmalmcse02 

 

There is no  builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or  Arm or another Infra as Code tool) . 

By doing that  you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied . 

 

View solution in original post

0 Likes
Reply