Ensure Container Registry has locks
When you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can't accidentally delete or overwrite.
Risk Level: Low
Cloud Entity: Container Registry
CloudGuard Rule ID: D9.AZU.AKS.02
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
ContainerRegistry should have locks
REMEDIATION
From Portal
- Log in to your Azure portal.
- Navigate to 'Container Registry'.
- Under 'Settings' select 'Locks'.
- Add a lock (select lock type : read-only/delete).
- Click on 'ok'.
From TF
Set the 'lock_level', 'name' and 'scope' argument under 'azurerm_management_lock' as below:
resource "azurerm_management_lock" "resource-level" {
...
name = "NAME_OF_MANAGEMENT_LOCK"
scope = "SCOPE"
lock_level = "LOCK_TYPE"
notes = "This Resource Group is Read-Only"
...
}
NOTE : lock_level can be 'CanNotDelete' or 'ReadOnly'.
From Command Line
Run
az acr repository update --name REGISTRYNAME --repository REPOSITORY --read-enabled false --delete-enabled false
References
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
- https://learn.microsoft.com/en-us/azure/container-registry/container-registry-image-lock
- https://learn.microsoft.com/en-us/cli/azure/acr/repository?view=azure-cli-latest#az-acr-repository-update
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock#lock_level
Container Registry
Azure Container Registry allows you to build, store, and manage images for all types of container deployments. Azure Container Registry allows you to store images for all types of container deployments including DC/OS, Docker Swarm, Kubernetes, and Azure services such as App Service, Batch, Service Fabric, and others.
Compliance Frameworks
- Azure CloudGuard Best Practices
- Azure CloudGuard CheckUp
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago