Ensure Container Registry has locks

When you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can't accidentally delete or overwrite.

Risk Level: Low
Cloud Entity: Container Registry
CloudGuard Rule ID: D9.AZU.AKS.02
Covered by Spectral: Yes
Category: Compute


ContainerRegistry should have locks


From Portal

  1. Log in to your Azure portal.
  2. Navigate to 'Container Registry'.
  3. Under 'Settings' select 'Locks'.
  4. Add a lock (select lock type : read-only/delete).
  5. Click on 'ok'.

From TF
Set the 'lock_level', 'name' and 'scope' argument under 'azurerm_management_lock' as below:

resource "azurerm_management_lock" "resource-level" {
	scope      = "SCOPE"
	lock_level = "LOCK_TYPE"
	notes      = "This Resource Group is Read-Only"

NOTE : lock_level can be 'CanNotDelete' or 'ReadOnly'.

From Command Line

az acr repository update --name REGISTRYNAME --repository REPOSITORY --read-enabled false --delete-enabled false


  1. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
  2. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-image-lock
  3. https://learn.microsoft.com/en-us/cli/azure/acr/repository?view=azure-cli-latest#az-acr-repository-update
  4. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock#lock_level

Container Registry

Azure Container Registry allows you to build, store, and manage images for all types of container deployments. Azure Container Registry allows you to store images for all types of container deployments including DC/OS, Docker Swarm, Kubernetes, and Azure services such as App Service, Batch, Service Fabric, and others.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • CloudGuard Azure All Rules Ruleset