Profile Applicability:

  • Level 1

Description:
 Limiting access to Azure Container Registry (ACR) to read-only ensures that workloads in your cluster can pull images, but not push or modify them. This check ensures that only necessary users or service accounts have the ability to push images to the registry, while the rest of the cluster has read-only access to pull images from ACR.

Rationale:
 By minimizing access to read-only, you prevent accidental or unauthorized modification of container images stored in ACR. This helps ensure that the integrity of images is maintained, and only trusted sources can push new images to the registry. It is a security best practice to grant write permissions to a limited set of users or service accounts and set read-only access for the rest of the users.

Impact:

  • Pros:

    • Limits the potential for malicious or accidental changes to images in ACR.

    • Enhances security by enforcing strict access control for writing to the registry.

  • Cons:

    • Additional configuration and monitoring are required to ensure that only authorized users can push images.

    • Might require updates to the CI/CD pipeline if it was previously allowed to push directly from the cluster.

Default Value:
 By default, Azure Container Registry might grant broad permissions to users, including the ability to push and pull images. Limiting access to read-only requires additional configuration.

Pre-requisites:
 Ensure that Azure Active Directory (AAD) authentication is enabled for ACR and that role-based access control (RBAC) is properly configured for the registry.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access Azure Container Registry (ACR).

  2. Review the Access Control (IAM) settings under Security to verify role assignments.

  3. Ensure that the roles AcrPull (read-only) and AcrPush (write access) are assigned appropriately. Only those who need to push images should have AcrPush assigned.

Using Azure CLI:

  1. List the current role assignments for ACR to verify the access levels:

    az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  2. Ensure that users and service principals who do not need to push images are only assigned the AcrPull role, while only trusted users have AcrPush.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to Azure Container Registry and select Access Control (IAM).

  2. Assign the AcrPull role to users and service principals who need read-only access to pull images from the registry.

  3. Assign the AcrPush role to users or service accounts who need to push images to the registry.

  4. Review and remove AcrPush from users or service accounts that do not need write access.

Using Azure CLI:

  1. Assign the AcrPull role to users or service principals requiring read-only access:

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPull --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  2. Assign the AcrPush role to users or service principals that need write access:

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  3. Remove the AcrPush role from unauthorized users or service accounts with:

    az role assignment delete --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

Backout Plan:

Using Azure Console:

  1. If restricting access causes issues with workflows, revert to the previous configuration in the Azure portal by reassigning the AcrPush role to the affected users or service accounts.

Using Azure CLI:

  1. Revert changes by reassigning AcrPush to users or service principals who need write access:
     

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>


References:

  1. Azure Container Registry (ACR) Access Control Documentation

  2. Azure Role-Based Access Control (RBAC) Documentation

  3. Azure CLI Role Assignment Documentation