Framework/Configurations/SVT/Services/ContainerRegistry.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
{
    "FeatureName": "ContainerRegistry",
    "Reference": "aka.ms/azsktcp/containerregistry",
    "IsMaintenanceMode": false,
    "Controls": [
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_Account",
        "Description": "The Admin account in Container Registry should be disabled",
        "Id": "ContainerRegistry110",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckAdminUserStatus",
        "Rationale": "The Admin user account is designed for a single user to access the registry. Multiple users authenticating with the admin account appear as just one user to the registry. This leads to loss of auditability. Using AAD-based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.",
        "Recommendation": "Run command 'Update-AzContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzContainerRegistry -full' for more help. You can add AAD-based SPNs or user accounts to the appropriate RBAC role instead.",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "ContainerRegistry"
        ],
        "FixControl": {
          "FixMethodName": "DisableAdminAccount",
          "FixControlImpact": "High"
        }
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access",
        "Description": "A service principal should be used to access container images in Container Registry",
        "Id": "ContainerRegistry120",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckResourceAccess",
        "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.",
        "Recommendation": "Grant access to an SPN using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal",
        "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "AuthZ",
            "OwnerAccess",
            "GraphRead",
            "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault",
        "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault",
        "Id": "ContainerRegistry130",
        "ControlSeverity": "High",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.",
        "Recommendation": "To create an SPN and add the credential to a key vault refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "SI",
          "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access",
        "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
        "Id": "ContainerRegistry140",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckResourceRBACAccess",
        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
        "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthZ",
          "RBAC",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan",
        "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry",
        "Id": "ContainerRegistry150",
        "ControlSeverity": "Medium",
        "Automated": "Yes",
        "MethodName": "CheckContainerWebhooks",
        "Rationale": "Container image(s) having vulnerabilities (e.g., missing OS patches in base image, open ports, etc.) can lead to attacks and subsequent loss of sensitive enterprise data.",
        "Recommendation": "Configure a vulnerability scanner using guidance here: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook",
        "Tags": [
          "SDL",
          "Best Practice",
          "Automated",
          "Config",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images",
        "Description": "Container Registry must have latest/patched image(s) all the time",
        "Id": "ContainerRegistry160",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Unpatched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. Automated-patching ensures that the window for attacks on container images in minimized.",
        "Recommendation": "Setup automate build using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Config" ,
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust",
        "Description": "Content trust must be enabled for the Container Registry",
        "Id": "ContainerRegistry170",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "Yes",
        "MethodName": "CheckContentTrust",
        "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the image content received from a registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.",
        "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.",
        "Tags": [
          "SDL",
          "Best Practice",
          "Automated",
          "DP",
          "ContainerRegistry"
        ]
      },
      {
        "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs",
        "Description": "Activity logs for Data Container Registry should be reviewed periodically",
        "Id": "ContainerRegistry180",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.",
        "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "Audit",
          "ContainerRegistry"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images",
        "Description": "Only signed images must be pushed to Container Registry",
        "Id": "ContainerRegistry190",
        "ControlSeverity": "Medium",
        "Enabled": true,
        "Automated": "No",
        "MethodName": "",
        "Rationale": "A container image that is not signed can be exposed malicious changes. Signing and signature verification ensures that only trusted images are able to run.",
        "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content",
        "Tags": [
          "SDL",
          "Best Practice",
          "Manual",
          "DP"
        ]
      }
    ]
 }