Framework/Configurations/SVT/Services/ContainerRegistry.json
|
{
"FeatureName": "ContainerRegistry", "Reference": "aka.ms/azsktcp/containerregistry", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_User", "Description": "Admin user in Container Registry must be disabled", "Id": "ContainerRegistry110", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckAdminUserStatus", "Rationale": "The admin user is designed for a single user to access the registry. All users authenticating with the admin account appear as a single user to the registry. Admin users are having high privileged role increases the attack surface for the server without being tracked. Using AAD based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.", "Recommendation": "Run command 'Update-AzureRmContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzureRmContainerRegistry -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ] }, { "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access", "Description": "Service principal identity should be used to access container images in Container Registry", "Id": "ContainerRegistry120", "ControlSeverity": "Medium", "Enabled": true, "Automated": "Yes", "MethodName": "CheckResourceAccess", "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "OwnerAccess", "GraphRead" ] }, { "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault", "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault", "Id": "ContainerRegistry130", "ControlSeverity": "High", "Enabled": true, "Automated": "No", "MethodName": "", "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials for create service principal and store the credentials in Key Vault.", "Tags": [ "SDL", "TCP", "Manual", "SI" ] }, { "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "ContainerRegistry140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan", "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry", "Id": "ContainerRegistry150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckContainerWebhooks", "Rationale": "Container image(s) having vulnerability (e.g. missing OS patches in base image, open ports in image) can lead to loss of sensitive enterprise data.", "Recommendation": "Refer: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook", "Tags": [ "SDL", "Best Practice", "Manual", "Config" ], "Enabled": true }, { "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images", "Description": "Container Registry must have latest/patched image(s) all the time", "Id": "ContainerRegistry160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Un-patched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update", "Tags": [ "SDL", "Best Practice", "Manual", "Config" ], "Enabled": true }, { "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust", "Description": "Content trust in Container Registry must be enabled", "Id": "ContainerRegistry170", "ControlSeverity": "Medium", "Enabled": true, "Automated": "Yes", "MethodName": "CheckContentTrust", "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the data received from a Registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.", "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ] }, { "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs", "Description": "Activity logs for Data Container Registry should be reviewed periodically", "Id": "ContainerRegistry180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.", "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images", "Description": "Only signed images must be pushed in Container Registry", "Id": "ContainerRegistry190", "ControlSeverity": "Medium", "Enabled": true, "Automated": "No", "MethodName": "", "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the data received from a Registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.", "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ] } ] } |