Share via

Which Security policies to implement for Azure Container registry

curious7 251 Reputation points
2024-08-12T23:31:26.8566667+00:00

Please advise if there is a built-in Azure policy initiative for Azure container registry that we can use. We are looking to put Azure policies in place for ACR that align with WAF. What would be the considerations for this? Is there a security baseline recommended by Microsoft for ACR?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
447 questions
0 comments
Accepted answer
  1. Vlad Costa 1,480 Reputation points
    2024-08-13T01:39:41.0033333+00:00

    Hi @curious7

    Microsoft provides a comprehensive security baseline for Azure Container Registry, which aligns with the Microsoft Cloud Security Benchmark. This baseline includes recommendations on network security, identity management, and privileged access. You can monitor compliance with these recommendations using Microsoft Defender for Cloud.

    References:
    https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/container-registry-security-baseline

    https://learn.microsoft.com/en-us/azure/container-registry/container-registry-azure-policy

    If this answers your question, please click Accept Answer and Yes if this answer was helpful. Doing so would help other community members with similar issues identify the solution. I highly appreciate your contribution to the community.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KarishmaTiwari-MSFT 19,952 Reputation points Microsoft Employee
    2024-08-16T21:31:57.9466667+00:00

    @curious7 Yes, there are built-in Azure Policy initiatives for Azure Container Registry (ACR) that you can use to enhance security and compliance.

    You can find built-in policies for ACR here: https://learn.microsoft.com/en-us/azure/container-registry/policy-reference

    Here are some key built-in policies for ACR:

    1. Container Registry should be Zone Redundant: Ensures that your container registry is configured for zone resilience, reducing the risk of downtime during zone outages.
    2. Container Registry should use a virtual network service endpoint: Audits any container registry not configured to use a virtual network service endpoint.
    3. Azure registry container images should have vulnerabilities resolved: Scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image.
    4. Configure container registries to disable anonymous authentication: Disables anonymous pull for your registry, ensuring that only authenticated users can access the data.
    5. Configure container registries to disable ARM audience token authentication: Ensures that only tokens meant for usage on the registry can be used for authentication.

    In addition to the answer above, when aligning Azure policies for ACR with Web Application Firewall (WAF) policies, consider the following:

    -Ensure that your ACR is integrated with virtual networks and private endpoints to restrict access.

    -Enable logging and monitoring to track access and changes to the registry. Use Azure Monitor and Azure Security Center for comprehensive monitoring.

    Let me know if you have any questions in the comments.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.