Framework/Configurations/SVT/Services/ContainerInstances.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
{
  "FeatureName": "ContainerInstances",
  "Reference": "aka.ms/azsktcp/containerinstances",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_ContainerInstances_NetSec_Justify_PublicIP_and_Ports",
      "Description": "Use of public IP address and ports should be carefully reviewed",
      "Id": "ContainerInstances110",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckPublicIPAndPorts",
      "Rationale": "Public IP address provides direct access over the internet exposing the container to all type of attacks over the public network.",
      "Recommendation": "Add public IP address and ports to a container only as required. Ensure that the resulting data flows are carefully reviewed.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_SI_Review_Image",
      "Description": "Make sure container images (including nested images) are from a trustworthy source",
      "Id": "ContainerInstances120",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckContainerImage",
      "Rationale": "If a container runs an untrusted image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.",
      "Recommendation": "Ensure that the image source(s) for the image comprising the container are trustworthy. Review image configurations carefully for any misconfigurations.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_DP_Review_Registry",
      "Description": "Make sure container images are hosted on a trustworthy registry that has strong authentication, authorization and data protection mechanisms",
      "Id": "ContainerInstances130",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckRegistry",
      "Rationale": "If a container image is served from an untrusted registry, the image itself may not be trustworthy. Running such a compromised image can lead to loss of sensitive enterprise data.",
      "Recommendation": "Ensure that the registry, which hosts the image, is trustworthy. Review registry configurations carefully for any misconfigurations related to authentication, authorization, etc. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_AuthZ_Container_Segregation",
      "Description": "A container group must contain only containers which trust each other",
      "Id": "ContainerInstances140",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckContainerTrust",
      "Rationale": "Containers hosted in the same container group can monitor traffic of other containers within the group and can also access the file system of the host OS. Hence a container group must not host containers which do not trust each other. In other words, do not mix containers across trust boundaries in the same group.",
      "Recommendation": "Carefully review the role and privileges required by each container in a container group. If the privilege levels and access requirements are different, then consider segregating the containers into separate groups.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ]
    }
  ]
}