Framework/Configurations/SVT/Services/ContainerInstances.json

{
  "FeatureName": "ContainerInstances",
  "Reference": "aka.ms/azsktcp/containerinstances",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_ContainerInstances_NetSec_Justify_PublicIP_and_Ports",
      "Description": "Use of public IP address and ports should be carefully reviewed",
      "Id": "ContainerInstances110",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckPublicIPAndPorts",
      "Rationale": "Public IP address provides direct access over the internet exposing the container to all type of attacks over the public network.",
      "Recommendation": "Add public IP address and ports to a container only as required. Ensure that the resulting data flows are carefully reviewed.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec",
        "ContainerInstances"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_SI_Review_Image",
      "Description": "Make sure container images (including nested images) are from a trustworthy source",
      "Id": "ContainerInstances120",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckContainerImage",
      "Rationale": "If a container runs an untrusted image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.",
      "Recommendation": "Ensure that the image source(s) for the image comprising the container are trustworthy. Review image configurations carefully for any misconfigurations.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "SI",
        "ContainerInstances"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_DP_Review_Registry",
      "Description": "Make sure container images are hosted on a trustworthy registry that has strong authentication, authorization and data protection mechanisms",
      "Id": "ContainerInstances130",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckRegistry",
      "Rationale": "If a container image is served from an untrusted registry, the image itself may not be trustworthy. Running such a compromised image can lead to loss of sensitive enterprise data.",
      "Recommendation": "Ensure that the registry, which hosts the image, is trustworthy. Review registry configurations carefully for any misconfigurations related to authentication, authorization, etc. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "ContainerInstances"
      ]
    },
    {
      "ControlID": "Azure_ContainerInstances_AuthZ_Container_Segregation",
      "Description": "A container group must contain only containers which trust each other",
      "Id": "ContainerInstances140",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "Yes",
      "MethodName": "CheckContainerTrust",
      "Rationale": "Containers hosted in the same container group can monitor traffic of other containers within the group and can also access the file system of the host OS. Hence a container group must not host containers which do not trust each other. In other words, do not mix containers across trust boundaries in the same group.",
      "Recommendation": "Carefully review the role and privileges required by each container in a container group. If the privilege levels and access requirements are different, then consider segregating the containers into separate groups.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "ContainerInstances"
      ]
    }
  ]
}