Detections
Analytics

Ensure that customer managed key is used for encryption for Azure Container Registry

MEDIUM

Description

By default, when you store images and other artifacts in an Azure Container Registry, content is automatically encrypted at rest with Microsoft-managed keys. However, this does not satisfy stricter compliance requirements.

Remediation

In Azure Console -

  1. Create a managed identity.
  2. Create a key vault.
  3. Enable key vault access by managed identity.
  4. Create a key.
  5. Go to the container registries console.
  6. Create an Azure container registry.
  7. In the Encryption tab, in Customer-managed key, select Enabled.

In Terraform -

  1. In the azurerm_container_registry resource, create an 'encryption' block to configure, with enabled = true.
  2. Provide a valid key_vault_key_id for the Key Vault key you wish to use for encryption.
  3. Provide a valid identity_client_id for the client ID that should be associated with the encryption.

References:
https://learn.microsoft.com/en-us/azure/container-registry/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry#encryption

Policy Details

Rule Reference ID: AC_AZURE_0228
CSP: Azure
Remediation Available: Yes
Domain: Data Protection
Resource: azurerm_container_registry
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks