Skip to content

Container registry anonymous pull access is enabled#

Security · Container Registry · Rule · 2024_12 · Important

Anonymous pull access allows unidentified downloading of images and metadata from a container registry.

Description#

By default, Azure Container Registry (ACR) requires you to be authorized before you push or pull content from the registry. When anonymous pull access is enabled:

  • Any client with network access can pull content from the entire registry without authorization.
  • Repository-scoped tokens can not be used to limit pull access, tokens will be able to pull all content.

Recommendation#

Consider disabling anonymous pull access in scenarios that require user authentication.

Examples#

Configure with Azure template#

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "anonymousPullEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

Azure Bicep snippet
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    anonymousPullEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-registry/registry:<version>

To use the latest version:

br/public:avm/res/container-registry/registry:0.6.0

Configure with Azure CLI#

To configure registries that pass this rule:

Azure CLI snippet
az acr update  -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Notes#

Anonymous pull access is only available in the Standard and Premium service tiers.

This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users. For example: You are a software vendor and intend to distribute container images of your software to customers.

Comments