Azure Key Vault stores cryptographic keys, secrets, and certificates that protect other resources. Purge protection should be enabled to prevent the vault, or any of its objects, from being permanently deleted before the soft-delete retention period elapses.
Azure Key Vault has a soft-delete feature that retains deleted vaults and objects for a configurable retention period, during which they can be recovered. However, soft-delete alone does not prevent a privileged user from permanently deleting (purging) the vault or its objects before that period expires.
Purge protection closes this gap: once enabled, neither the vault nor its objects can be purged until the retention period has fully elapsed, even by an account with sufficient permissions.
When the purge_protection_enabled attribute is absent, it defaults to false, leaving the vault unprotected against
permanent deletion.
A Key Vault typically holds the key-encryption keys, secrets, and certificates that secure other resources and data. Without purge protection, a compromised or malicious administrator account can delete the vault and immediately purge it, permanently destroying this material.
Permanently destroying a key-encryption key renders every piece of data protected by it unrecoverable. Unlike a simple deletion, a purge cannot be undone and there is no recovery window, making this a destructive and irreversible action.
Permanent destruction of secrets and keys is a common objective in sabotage and ransom scenarios. An attacker who gains the required permissions can wipe out the cryptographic material an organization depends on, causing prolonged outages and potentially unrecoverable loss of business data.
Set purge_protection_enabled to true on the azurerm_key_vault resource.
resource "azurerm_key_vault" "example" {
name = "example-vault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard" # Noncompliant: purge protection is not enabled
}
resource "azurerm_key_vault" "example" {
name = "example-vault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
soft_delete_retention_days = 90
}