Azure Key Vault stores cryptographic keys, secrets, and certificates that protect other resources. Purge protection should be enabled to prevent the vault, or any of its objects, from being permanently deleted before the soft-delete retention period elapses.

Why is this an issue?

Azure Key Vault has a soft-delete feature that retains deleted vaults and objects for a configurable retention period, during which they can be recovered. However, soft-delete alone does not prevent a privileged user from permanently deleting (purging) the vault or its objects before that period expires.

Purge protection closes this gap: once enabled, neither the vault nor its objects can be purged until the retention period has fully elapsed, even by an account with sufficient permissions.

When the purge_protection_enabled attribute is absent, it defaults to false, leaving the vault unprotected against permanent deletion.

What is the potential impact?

A Key Vault typically holds the key-encryption keys, secrets, and certificates that secure other resources and data. Without purge protection, a compromised or malicious administrator account can delete the vault and immediately purge it, permanently destroying this material.

Irreversible data loss

Permanently destroying a key-encryption key renders every piece of data protected by it unrecoverable. Unlike a simple deletion, a purge cannot be undone and there is no recovery window, making this a destructive and irreversible action.

Sabotage and ransom

Permanent destruction of secrets and keys is a common objective in sabotage and ransom scenarios. An attacker who gains the required permissions can wipe out the cryptographic material an organization depends on, causing prolonged outages and potentially unrecoverable loss of business data.

How to fix it

Set purge_protection_enabled to true on the azurerm_key_vault resource.

Code examples

Noncompliant code example

resource "azurerm_key_vault" "example" {
  name                = "example-vault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard" # Noncompliant: purge protection is not enabled
}

Compliant solution

resource "azurerm_key_vault" "example" {
  name                       = "example-vault"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  purge_protection_enabled   = true
  soft_delete_retention_days = 90
}

Resources

Documentation

Standards