AzSK

3.8.0

Framework/Configurations/SVT/Services/ContainerRegistry.json

                                {

    "FeatureName": "ContainerRegistry",

    "Reference": "aka.ms/azsktcp/containerregistry",

    "IsMaintenanceMode": false,

    "Controls": [

      {

        "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_Account",

        "Description": "The Admin account in Container Registry should be disabled",

        "Id": "ContainerRegistry110",

        "ControlSeverity": "High",

        "Enabled": true,

        "Automated": "Yes",

        "MethodName": "CheckAdminUserStatus",

        "Rationale": "The Admin user account is designed for a single user to access the registry. Multiple users authenticating with the admin account appear as just one user to the registry. This leads to loss of auditability. Using AAD-based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.",

        "Recommendation": "Run command 'Update-AzureRmContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzureRmContainerRegistry -full' for more help. You can add AAD-based SPNs or user accounts to the appropriate RBAC role instead.",

        "Tags": [

          "SDL",

          "TCP",

          "Automated",

          "AuthZ",

          "ContainerRegistry"

        ],

        "FixControl": {

          "FixMethodName": "DisableAdminAccount",

          "FixControlImpact": "High"

        }

      },

      {

        "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access",

        "Description": "A service principal should be used to access container images in Container Registry",

        "Id": "ContainerRegistry120",

        "ControlSeverity": "Medium",

        "Enabled": true,

        "Automated": "Yes",

        "MethodName": "CheckResourceAccess",

        "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.",

        "Recommendation": "Grant access to an SPN using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal",

        "Tags": [

            "SDL",

            "TCP",

            "Automated",

            "AuthZ",

            "OwnerAccess",

            "GraphRead",

            "ContainerRegistry"

        ]

      },

      {

        "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault",

        "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault",

        "Id": "ContainerRegistry130",

        "ControlSeverity": "High",

        "Enabled": true,

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.",

        "Recommendation": "To create an SPN and add the credential to a key vault refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials.",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "SI",

          "ContainerRegistry"

        ]

      },

      {

        "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access",

        "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

        "Id": "ContainerRegistry140",

        "ControlSeverity": "Medium",

        "Automated": "Yes",

        "MethodName": "CheckResourceRBACAccess",

        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

        "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",

        "Tags": [

          "SDL",

          "TCP",

          "Automated",

          "AuthZ",

          "RBAC",

          "ContainerRegistry"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan",

        "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry",

        "Id": "ContainerRegistry150",

        "ControlSeverity": "Medium",

        "Automated": "Yes",

        "MethodName": "CheckContainerWebhooks",

        "Rationale": "Container image(s) having vulnerabilities (e.g., missing OS patches in base image, open ports, etc.) can lead to attacks and subsequent loss of sensitive enterprise data.",

        "Recommendation": "Configure a vulnerability scanner using guidance here: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook",

        "Tags": [

          "SDL",

          "Best Practice",

          "Automated",

          "Config",

          "ContainerRegistry"         

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images",

        "Description": "Container Registry must have latest/patched image(s) all the time",

        "Id": "ContainerRegistry160",

        "ControlSeverity": "Medium",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Unpatched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. Automated-patching ensures that the window for attacks on container images in minimized.",

        "Recommendation": "Setup automate build using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update",

        "Tags": [

          "SDL",

          "Best Practice",

          "Manual",

          "Config" ,

          "ContainerRegistry"         

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust",

        "Description": "Content trust must be enabled for the Container Registry",

        "Id": "ContainerRegistry170",

        "ControlSeverity": "Medium",

        "Enabled": true,

        "Automated": "Yes",

        "MethodName": "CheckContentTrust",

        "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the image content received from a registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.",

        "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.",

        "Tags": [

          "SDL",

          "Best Practice",

          "Automated",

          "DP",

          "ContainerRegistry"

        ]

      },

      {

        "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs",

        "Description": "Activity logs for Data Container Registry should be reviewed periodically",

        "Id": "ContainerRegistry180",

        "ControlSeverity": "Medium",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.",

        "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs",

        "Tags": [

          "SDL",

          "Best Practice",

          "Manual",

          "Audit",

          "ContainerRegistry"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images",

        "Description": "Only signed images must be pushed to Container Registry",

        "Id": "ContainerRegistry190",

        "ControlSeverity": "Medium",

        "Enabled": true,

        "Automated": "No",

        "MethodName": "",

        "Rationale": "A container image that is not signed can be exposed malicious changes. Signing and signature verification ensures that only trusted images are able to run.",

        "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content",

        "Tags": [

          "SDL",

          "Best Practice",

          "Manual",

          "DP"

        ]

      }

    ]

 }