Framework/Configurations/SVT/Services/ContainerRegistry.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
{
    "FeatureName": "ContainerRegistry",
    "Reference": "aka.ms/azsktcp/containerregistry",
    "IsMaintenanceMode": false,
    "Controls": [
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_User",
        "Description": "Admin user in Container Registry must be disabled",
        "Id": "ContainerRegistry110",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckAdminUserStatus",
        "Rationale": "The admin user is designed for a single user to access the registry. All users authenticating with the admin account appear as a single user to the registry. Admin users are having high privileged role increases the attack surface for the server without being tracked. Using AAD based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.",
        "Recommendation": "Run command 'Update-AzureRmContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzureRmContainerRegistry -full' for more help.",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access",
        "Description": "Service principal identity should be used to access container images in Container Registry",
        "Id": "ContainerRegistry120",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckResourceAccess",
        "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal",
        "Tags": [
            "SDL",
            "TCP",
            "Manual",
            "AuthZ",
            "OwnerAccess",
            "GraphRead"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault",
        "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault",
        "Id": "ContainerRegistry130",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials for create service principal and store the credentials in Key Vault.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "SI"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access",
        "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
        "Id": "ContainerRegistry140",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckResourceRBACAccess",
        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
        "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "RBAC"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan",
        "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry",
        "Id": "ContainerRegistry150",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckContainerWebhooks",
        "Rationale": "Container image(s) having vulnerability (e.g. missing OS patches in base image, open ports in image) can lead to loss of sensitive enterprise data.",
        "Recommendation": "Refer: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Config"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images",
        "Description": "Container Registry must have latest/patched image(s) all the time",
        "Id": "ContainerRegistry160",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Un-patched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Config"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust",
        "Description": "Content trust in Container Registry must be enabled",
        "Id": "ContainerRegistry170",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckContentTrust",
        "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the data received from a Registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.",
        "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "DP"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs",
        "Description": "Activity logs for Data Container Registry should be reviewed periodically",
        "Id": "ContainerRegistry180",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.",
        "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Audit"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images",
        "Description": "Only signed images must be pushed in Container Registry",
        "Id": "ContainerRegistry190",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the data received from a Registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.",
        "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "DP"
        ]
      }
    ]
 }