Container Registry local admin account is enabled#
Security · Container Registry · Rule · 2020_06 · Critical
The local admin account allows depersonalized access to a container registry using a shared secret.
Description#
Azure Container Registry (ACR) includes a built-in local admin user account. The local admin account is a single user account with administrative access to the registry. This account is intended for early proof of concepts and working with sample code. The admin user account is not intended for general use with container registries.
Instead of using the admin account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including:
- Strong account protection controls with conditional access, identity governance, and privileged identity management.
- Auditing and reporting of account activity.
- Granular access control with role-based access control (RBAC).
- Separation of account types for users and applications.
Recommendation#
Consider disabling the local admin account and only use identity-based authentication for registry operations.
Examples#
Configure with Azure template#
To deploy registries that pass this rule:
- Set
properties.adminUserEnabled
tofalse
.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"policies": {
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
}
}
}
}
Configure with Bicep#
To deploy registries that pass this rule:
- Set
properties.adminUserEnabled
tofalse
.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
policies: {
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
For example:
To use the latest version:
Configure with Azure CLI#
To configure registries that pass this rule:
Configure with Azure PowerShell#
To configure registries that pass this rule:
Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Container registries should have local admin account disabled
/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2
. - Configure container registries to disable local admin account
/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759
.
Links#
- SE:05 Identity and access management
- Authenticate with a private Docker container registry
- Best practices for Azure Container Registry
- Use an Azure managed identity to authenticate to an Azure container registry
- Azure Container Registry roles and permissions
- What is Azure role-based access control (Azure RBAC)?
- IM-1: Use centralized identity and authentication system
- IM-3: Manage application identities securely and automatically
- PA-1: Separate and limit highly privileged/administrative users
- Azure Policy Regulatory Compliance controls for Azure Container Registry
- Azure deployment reference