Detections
Analytics

Ensure locks are enabled for Azure Container Registry

HIGH

Description

Ensure locks are enabled for Azure Container Registry (ACR), Failure to do so exposes Azure container registry to unauthorized access. This might compromises integrity of application which is relying on ACR and unauthorized individuals could gain access to sensitive container images, leading to potential misuse or unauthorized modifications.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Container Registries.
  2. Select the Container Registry you wish to edit.
  3. Under Settings, choose Locks.
  4. Create a new lock for the registry.

In Terraform -

  1. For each azurerm_container_registry resource, create an azurerm_management_lock resource.
  2. In the azurerm_management_lock resource, set the scope to the registry id.

References:
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-image-lock
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock

Policy Details

Rule Reference ID: AC_AZURE_0185
CSP: Azure
Remediation Available: Yes
Domain: Resilience
Resource: azurerm_container_registry
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks