Framework/Configurations/SVT/Services/ContainerRegistry.json

{
    "FeatureName": "ContainerRegistry",
    "Reference": "aka.ms/azsktcp/containerregistry",
    "IsMaintenanceMode": false,
    "Controls": [
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_Account",
        "Description": "The Admin account in Container Registry should be disabled",
        "Id": "ContainerRegistry110",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckAdminUserStatus",
        "Rationale": "The Admin user account is designed for a single user to access the registry. Multiple users authenticating with the admin account appear as just one user to the registry. This leads to loss of auditability. Using AAD-based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.",
        "Recommendation": "Run command 'Update-AzContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzContainerRegistry -full' for more help. You can add AAD-based SPNs or user accounts to the appropriate RBAC role instead.",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "ContainerRegistry"
        ],
        "FixControl": {
          "FixMethodName": "DisableAdminAccount",
          "FixControlImpact": "High"
        }
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access",
        "Description": "A service principal should be used to access container images in Container Registry",
        "Id": "ContainerRegistry120",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckResourceAccess",
        "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.",
        "Recommendation": "Grant access to an SPN using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal",
        "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "AuthZ",
            "OwnerAccess",
            "GraphRead",
            "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault",
        "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault",
        "Id": "ContainerRegistry130",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.",
        "Recommendation": "To create an SPN and add the credential to a key vault refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "SI",
          "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access",
        "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
        "Id": "ContainerRegistry140",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckResourceRBACAccess",
        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
        "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "RBAC",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan",
        "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry",
        "Id": "ContainerRegistry150",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckContainerWebhooks",
        "Rationale": "Container image(s) having vulnerabilities (e.g., missing OS patches in base image, open ports, etc.) can lead to attacks and subsequent loss of sensitive enterprise data.",
        "Recommendation": "Configure a vulnerability scanner using guidance here: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook",
        "Tags": [
          "SDL",
          "Best Practice",
          "Automated",
          "Config",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images",
        "Description": "Container Registry must have latest/patched image(s) all the time",
        "Id": "ContainerRegistry160",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Unpatched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. Automated-patching ensures that the window for attacks on container images in minimized.",
        "Recommendation": "Setup automate build using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Config" ,
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust",
        "Description": "Content trust must be enabled for the Container Registry",
        "Id": "ContainerRegistry170",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckContentTrust",
        "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the image content received from a registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.",
        "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.",
        "Tags": [
          "SDL",
          "Best Practice",
          "Automated",
          "DP",
          "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs",
        "Description": "Activity logs for Data Container Registry should be reviewed periodically",
        "Id": "ContainerRegistry180",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.",
        "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Audit",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images",
        "Description": "Only signed images must be pushed to Container Registry",
        "Id": "ContainerRegistry190",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "A container image that is not signed can be exposed malicious changes. Signing and signature verification ensures that only trusted images are able to run.",
        "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "DP"
        ]
      }
    ]
 }