Ensure that admin user is disabled for Container Registry

The value that indicates whether the admin user is enabled. Each container registry includes an admin user account, which is disabled by default. You can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI or other Azure tools. All users authenticating with the admin account appear as a single user with push and pull access to the registry. Changing or disabling this account disables registry access for all users who use its credentials.

Risk Level: Low
Cloud Entity: Container Registry
CloudGuard Rule ID: D9.AZU.AKS.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

ContainerRegistry should have properties.adminUserEnabled= false

REMEDIATION

From Portal

  1. Log in to your Azure portal.
  2. Navigate to 'Container Registry'.
  3. Under 'Settings' select 'Access Keys'.
  4. Ensure that the Admin User is Disabled.
  5. If it is enabled, you can disable the same using the toggle.

From TF
Set the 'admin_enabled' argument under 'azurerm_container_registry' as below:

resource "azurerm_container_registry" "acr" {
	...
	admin_enabled = false
	...
}

From Command Line
Run

az acr update --name REGISTRYNAME --admin-enabled false

References

  1. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
  2. https://learn.microsoft.com/en-us/cli/azure/acr?view=azure-cli-latest#az-acr-update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry#admin_enabled

Container Registry

Azure Container Registry allows you to build, store, and manage images for all types of container deployments. Azure Container Registry allows you to store images for all types of container deployments including DC/OS, Docker Swarm, Kubernetes, and Azure services such as App Service, Batch, Service Fabric, and others.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure Dashboard System Ruleset
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset