module/ConfigurationProvider/ControlConfigurations/Services/ContainerRegistry.json
|
{
"FeatureName": "ContainerRegistry", "Reference": "aka.ms/azsktcp/containerregistry", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ContainerRegistry_AuthZ_Disable_Admin_Account", "Description": "The Admin account in Container Registry should be disabled", "Id": "ContainerRegistry110", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckAdminUserStatus", "DisplayName": "The Admin account in Container Registry should be disabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "The Admin user account is designed for a single user to access the registry. Multiple users authenticating with the admin account appear as just one user to the registry. This leads to loss of auditability. Using AAD-based identity ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.", "Recommendation": "Run command 'Update-AzContainerRegistry -DisableAdminUser -Name '<ContainerRegistryName>' -ResourceGroupName '<RGName>'. Run 'Get-Help Update-AzContainerRegistry -full' for more help. You can add AAD-based SPNs or user accounts to the appropriate RBAC role instead.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerRegistry", "Baseline", "Weekly" ], "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_AuthZ_Use_SPN_For_Registry_Access", "Description": "A service principal should be used to access container images in Container Registry", "Id": "ContainerRegistry120", "ControlSeverity": "Medium", "Enabled": false, "Automated": "Yes", "MethodName": "CheckResourceAccess", "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the given scenario.", "Recommendation": "Grant access to an SPN using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "ContainerRegistry" ], "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_DP_Store_SPN_Cred_In_KeyVault", "Description": "Credentials of service principal used for Container Registry must be stored in Key Vault", "Id": "ContainerRegistry130", "ControlSeverity": "High", "Enabled": false, "Automated": "No", "MethodName": "", "Rationale": "Keeping/sharing password in clear text can lead to easy compromise at various avenues during an application's life cycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "To create an SPN and add the credential to a key vault refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-build#create-service-principal-and-store-credentials.", "Tags": [ "SDL", "TCP", "Manual", "SI", "ContainerRegistry" ], "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "ContainerRegistry140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Container Registry. Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Assign 'Reader' RBAC role to the members/SPs who only required to pull images from the Registry. Refer: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "ContainerRegistry" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_Configure_Webhook_For_Vuln_Scan", "Description": "Image vulnerability scan should be configured through webhook when images are pushed to Container Registry", "Id": "ContainerRegistry150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckContainerWebhooks", "Rationale": "Container image(s) having vulnerabilities (e.g., missing OS patches in base image, open ports, etc.) can lead to attacks and subsequent loss of sensitive enterprise data.", "Recommendation": "Configure a vulnerability scanner using guidance here: https://github.com/Azure/acr/blob/master/docs/acr-roadmap.md#vulnerability-scanning-integration, https://docs.microsoft.com/en-in/azure/container-registry/container-registry-webhook", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "ContainerRegistry" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_Configure_Latest_Images", "Description": "Container Registry must have latest/patched image(s) all the time", "Id": "ContainerRegistry160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Unpatched images are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. Automated-patching ensures that the window for attacks on container images in minimized.", "Recommendation": "Setup automate build using the guidance here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-base-image-update", "Tags": [ "SDL", "Best Practice", "Manual", "Config", "ContainerRegistry" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_DP_Enable_Content_Trust", "Description": "Content trust must be enabled for the Container Registry", "Id": "ContainerRegistry170", "ControlSeverity": "Medium", "Enabled": true, "Automated": "Yes", "MethodName": "CheckContentTrust", "DisplayName": "Content trust must be enabled for the Container Registry", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Content trust gives the ability to verify both the integrity and the publisher of all the image content received from a registry over any channel. If a container image is served from an untrusted registry, the image itself may not be trustworthy/stable. Running such a compromised image can lead to loss of sensitive enterprise data.", "Recommendation": "Go to Azure Portal --> your Container Registry --> Content Trust --> Enabled. This feature is currently available only in Premium SKU. After enabling Content Trust, push only trusted images in the repositories. Refer: https://aka.ms/acr/content-trust.", "Tags": [ "SDL", "Best Practice", "Automated", "DP", "ContainerRegistry", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "TrustPolicyStatus" ] }, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_Audit_Review_Logs", "Description": "Activity logs for Data Container Registry should be reviewed periodically", "Id": "ContainerRegistry180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic reviews of activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.", "Recommendation": "Review activity logs to check critical activities (e.g. List Container Registry Login Credentials) on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit", "ContainerRegistry" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_DP_Push_Only_Signed_Images", "Description": "Only signed images must be pushed to Container Registry", "Id": "ContainerRegistry190", "ControlSeverity": "Medium", "Enabled": false, "Automated": "No", "MethodName": "", "Rationale": "A container image that is not signed can be exposed malicious changes. Signing and signature verification ensures that only trusted images are able to run.", "Recommendation": "Run command 'az acr repository show -n <RegistryName> --image <IamgeName>:<Tag>' from Azure cli to get signature details of the images. Refer: https://docs.docker.com/engine/security/trust/content_trust/#push-trusted-content", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "CustomTags": [] }, { "ControlID": "Azure_ContainerRegistry_Config_Enable_Security_Scanning", "Description": "Configure access for required identities to enable security scans of registry images.", "Id": "ContainerRegistry200", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckConfigRequiredForRegistryImageScans", "DisplayName": "Security scanner identity must be granted access to Container Registry for image scans", "Category": "Reader role access to all subscription and resources", "ControlRequirements": "Security team visibility into all Microsoft assets", "Rationale": "Images in a container registry need to be regularly scanned for vulnerabilities. The enterprise-wide solution deployed for this needs access to read the images from the registry to perform the scans.", "Recommendation": "Run command 'New-AzRoleAssignment -ObjectId {ObjectId} -RoleDefinitionName {RoleName} -Scope {Scope}'. Run 'Get-Help New-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerRegistry", "Baseline", "Daily" ], "ControlSettings": { "CentralAccount": [] }, "CustomTags": [ "MSD", "TenantBaseline", "Prod", "CSEOBaseline", "CSEOPilot", "Wave8", "SN:ContainerRegistry_Scanner" ] } ] } |