Profile Applicability:
Level 1
Description:
Azure Container Registry (ACR) provides a private registry for storing and managing Docker container images. To minimize the risk of unauthorized access, it is essential to restrict user access to ACR. This check ensures that only authorized users and service principals are granted the minimum required access to ACR, following the principle of least privilege.
Rationale:
Restricting user access to ACR helps reduce the potential attack surface by preventing unauthorized access to container images. By enforcing role-based access control (RBAC), organizations can ensure that only users who need to push, pull, or manage images are granted appropriate permissions. This approach enhances security by limiting access to sensitive images stored in ACR.
Impact:
Pros:
Enhances security by limiting who can access and manage images in ACR.
Reduces the potential risk of malicious users tampering with or deploying unauthorized container images.
Cons:
Additional configuration effort to manage RBAC roles and permissions.
Could impact workflows if users or service accounts need to have restricted access.
Default Value:
By default, Azure Container Registry does not have RBAC configured, allowing all users with proper Azure Active Directory access to perform operations on ACR.
Pre-requisites:
Ensure that Azure Active Directory (AAD) authentication is enabled for Azure Container Registry, and that RBAC is configured for managing access.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Container Registry (ACR).
Review the Access Control (IAM) settings under Security.
Ensure that only authorized users, groups, and service principals have the appropriate roles (e.g., AcrPull, AcrPush, AcrDelete) assigned.
Using Azure CLI:
Use the following command to check the current access control settings for your ACR:
az acr show --name <acr-name> --query "identity"
Review the role assignments for users or service principals with the following command:
az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>
Ensure that the correct roles are assigned to the right users or service principals.
Implementation Plan:
Using Azure Console:
In the Azure portal, navigate to Azure Container Registry and access Access Control (IAM).
Assign the appropriate built-in roles (e.g., AcrPull for pulling images, AcrPush for pushing images) to users or groups that require access.
Ensure that users or service principals who do not need access to ACR are removed from the role assignments.
Using Azure CLI:
To assign a role to a user or service principal, use the following command:
az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>
Remove unnecessary role assignments using the following command:
az role assignment delete --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>
Verify that the correct roles are assigned based on user needs.
Backout Plan:
Using Azure Console:
If restricting access causes issues with workflows, restore previous role assignments in the Azure portal by re-adding users or service principals to the appropriate roles.
Using Azure CLI:
Revert role assignments by adding users or service principals back to the required roles using the az role assignment create command:
az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>