Container registry anonymous pull access is enabled#
Security · Container Registry · Rule · 2024_12 · Important
Anonymous pull access allows unidentified downloading of images and metadata from a container registry.
Description#
By default, Azure Container Registry (ACR) requires you to be authorized before you push or pull content from the registry. When anonymous pull access is enabled:
- Any client with network access can pull content from the entire registry without authorization.
- Repository-scoped tokens can not be used to limit pull access, tokens will be able to pull all content.
Recommendation#
Consider disabling anonymous pull access in scenarios that require user authentication.
Examples#
Configure with Azure template#
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabled
property tofalse
.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
}
}
}
}
Configure with Bicep#
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabled
property tofalse
.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure CLI#
To configure registries that pass this rule:
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Container registries should have anonymous authentication disabled
/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395
. - Configure container registries to disable anonymous authentication
/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897
.
Notes#
Anonymous pull access is only available in the Standard
and Premium
service tiers.
This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users. For example: You are a software vendor and intend to distribute container images of your software to customers.
Links#
- SE:05 Identity and access management
- Make your container registry content publicly available
- Azure security baseline for Container Registry
- IM-1: Use centralized identity and authentication system
- Azure deployment reference