Key Vault Misconfiguration

Description

Key Vaults with broad access policies/RBAC, disabled soft delete/purge protection, publicly reachable endpoints, or secrets written to diagnostics can lead to secret/key exposure or irreversible deletion. Missing private endpoints, unrestricted firewall rules, and over‑privileged apps are common root causes.

Examples

Inspect Vault Settings

az keyvault show -n <vault> --query "{sku:properties.sku.name, softDelete:properties.enableSoftDelete, purgeProtection:properties.enablePurgeProtection, networkAcls:properties.networkAcls}"
az keyvault list-deleted

List Access Policies / RBAC

az keyvault show -n <vault> --query properties.accessPolicies
az role assignment list --scope $(az keyvault show -n <vault> --query id -o tsv)
az monitor diagnostic-settings list --resource $(az keyvault show -n <vault> --query id -o tsv)

Remediation

Enable soft delete and purge protection; restrict purge/delete to break‑glass roles.
Enforce least privilege via RBAC or access policies; avoid broad get/list for apps; rotate secrets regularly.
Network hardening and logging
- Use private endpoints and restrictive firewall rules; avoid logging secret values; send diagnostics to Log Analytics with access controls.

Haxoris Wiki

Key Vault Misconfiguration

Description

Examples

Inspect Vault Settings

List Access Policies / RBAC

Remediation