module/ConfigurationProvider/ControlConfigurations/Services/ContainerRegistry.json
|
{
"FeatureName": "ContainerRegistry", "Reference": "aka.ms/azsktcp/containerregistry", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_Account", "Description": "The Admin account in Container Registry should be disabled", "Id": "ContainerRegistry110", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckAdminUserStatus", "DisplayName": "The Admin account in Container Registry should be disabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "The Admin user account is designed for a single user to access the registry. Multiple users authenticating with the admin account appear as just one user to the registry. This leads to loss of auditability. Using AAD-based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.", "Recommendation": "Run command 'Update-AzContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzContainerRegistry -full' for more help. You can add AAD-based SPNs or user accounts to the appropriate RBAC role instead.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerRegistry", "Baseline", "Weekly" ], "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust", "Description": "Content trust must be enabled for the Container Registry", "Id": "ContainerRegistry170", "ControlSeverity": "Medium", "Enabled": true, "Automated": "Yes", "MethodName": "CheckContentTrust", "DisplayName": "Content trust must be enabled for the Container Registry", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the image content received from a registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.", "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.", "Tags": [ "SDL", "Best Practice", "Automated", "DP", "ContainerRegistry", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "TrustPolicyStatus" ] }, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_Config_Enable_Security_Scanning", "Description": "Configure access for required identities to enable security scans of registry images.", "Id": "ContainerRegistry200", "ControlSeverity": "High", "Enabled": false, "Automated": "Yes", "MethodName": "CheckConfigRequiredForRegistryImageScans", "DisplayName": "Security scanner identity must be granted access to Container Registry for image scans", "Category": "Reader role access to all subscription and resources", "ControlRequirements": "Security team visibility into all Microsoft assets", "Rationale": "Images in a container registry need to be regularly scanned for vulnerabilities. The enterprise-wide solution deployed for this needs access to read the images from the registry to perform the scans.", "Recommendation": "Run command 'New-AzRoleAssignment -ObjectId {ObjectId} -RoleDefinitionName {RoleName} -Scope {Scope}'. Run 'Get-Help New-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerRegistry", "Baseline", "Daily" ], "ControlSettings": { "CentralAccount": [] }, "CustomTags": [ "CSEOBaseline", "CSEOPilot", "Wave8", "SN:ContainerRegistry_Scanner" ] }, { "ControlID": "Azure_ContainerRegistry_Config_Enable_Security_Scanning_Trial", "Description": "[Trial] Configure access for required identities to enable security scans of registry images.", "Id": "ContainerRegistry240", "ControlSeverity": "High", "Enabled": false, "Automated": "Yes", "MethodName": "CheckConfigRequiredForRegistryImageScansTrial", "DisplayName": "[Trial] Security scanner identity must be granted required access to Container Registry for image scans", "Category": "Reader role access to all subscription and resources", "ControlRequirements": "Security team visibility into all Microsoft assets", "Rationale": "Images in a container registry need to be regularly scanned for vulnerabilities. The required Identity need to be assigned required Roles to read the images from the registry to perform the scans.", "Recommendation": "Assign required identity Reader/AcrPull role at Container Registry level. For higher scopes only AcrPull role should be given. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerRegistry", "Baseline" ], "ControlSettings": { "CentralAccount": [] }, "CustomTags": [ "Daily" ] }, { "ControlID": "Azure_ContainerRegistry_NetSec_Dont_Allow_Unrestricted_Network_Access_MCSB", "Description": "[MCSB] Container registries should not allow unrestricted network access", "Id": "ContainerRegistry250", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Container registries should not allow unrestricted network access", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", "AssessmentProperties": { "AssessmentNames": [ "9b828565-a0ed-61c2-6bf3-1afc99a9b2ca" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline", "ContainerRegistry" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ContainerRegistry_NetSec_Use_Private_Link_MCSB", "Description": "[MCSB] Container registries should use private link", "Id": "ContainerRegistry260", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Container registries should use private link", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link#set-up-private-endpoint---portal-recommended", "AssessmentProperties": { "AssessmentNames": [ "13e7d036-6903-821c-6018-962938929bf0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline", "ContainerRegistry" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ContainerRegistry_DP_Enable_Encryption_With_Customer_Managed_Keys_MCSB", "Description": "[MCSB] Container registries should be encrypted with a customer-managed key", "Id": "ContainerRegistry270", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Container registries should be encrypted with a customer-managed key", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Data Encryption ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys in Azure Container Registry, please refer: https://learn.microsoft.com/en-us/azure/container-registry/tutorial-customer-managed-keys", "Tags": [ "ContainerRegistry", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "af560c4d-9c05-e073-b9f1-f7a94958ff25" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ContainerRegistry_SI_Remediate_Vulnerabilities_MCSB", "Description": "[MCSB] Vulnerabilities in Azure Container Registry images should be remediated", "Id": "ContainerRegistry280", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Vulnerabilities in Azure Container Registry images should be remediated", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Known Containers in a system can be easy targets for attackers. An attacker can start by compromising a Container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "To resolve Vulnerabilities from Azure Container Registry, please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure#view-and-remediate-findings ", "Tags": [ "Automated", "Baseline", "ContainerRegistry", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "dbd0cb49-b563-45e7-9724-889e799fa648" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ContainerRegistry_NetSec_Dont_Allow_Public_Network_Access", "Description": "Public network access must be disabled on Container Registries", "Id": "ContainerRegistry290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access must be disabled on Container Registries", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDCorReader", "Rationale": "Enabling Public Network Access for Container Registries can lead to the risk of data leakage", "Recommendation": "To remediate, disable public network access on your Container Registry and use Private Link to Access. Refer link: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link", "AssessmentProperties": { "AssessmentNames": [ "9b828565-a0ed-61c2-6bf3-1afc99a9b2ca" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "NetSec", "Baseline", "ContainerRegistry" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccess" ] }, "Enabled": true, "CustomTags": [ "Daily" ] } ] } |