Anonymous pull access#
Security · Container Registry · Rule · Preview · 2023_09
Disable anonymous pull access.
Description#
Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).
By default, access to pull or push content from an Azure container registry is only available to authenticated users.
Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.
Recommendation#
Consider disabling anonymous pull access in scenarios that require user authentication.
Examples#
Configure with Azure template#
To deploy Azure Container Registries that pass this rule:
- Set the
properties.anonymousPullEnabledproperty tofalse.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-01-01-preview",
"name": "[parameters('registryName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"anonymousPullEnabled": false
}
}
Configure with Bicep#
To deploy Azure Container Registries that pass this rule:
- Set the
properties.anonymousPullEnabledproperty tofalse.
For example:
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
name: registryName
location: location
sku: {
name: 'Standard'
}
properties: {
anonymousPullEnabled: false
}
}
Configure with Azure CLI#
Notes#
The anonymous pull access feature is currently in preview.
Anonymous pull access is only available in the Standard and Premium service tiers.
Links#
- Authentication with Azure AD
- Make your container registry content publicly available
- Azure security baseline for Container Registry
- IM-1: Use centralized identity and authentication system
- Azure deployment reference