Anonymous pull access#
Security · Container Registry · Rule · Preview · 2023_09 · Important
Disable anonymous pull access.
Description#
Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).
By default, access to pull or push content from an Azure container registry is only available to authenticated users.
Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.
Recommendation#
Consider disabling anonymous pull access in scenarios that require user authentication.
Examples#
Configure with Azure template#
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabled
property tofalse
.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-08-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
}
}
}
}
Configure with Bicep#
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabled
property tofalse
.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
}
}
}
Configure with Azure Verified Modules
A pre-built module is avilable on the Azure Bicep public registry.
To reference the module, please use the following syntax: br/public:avm/res/container-registry/registry:<version>
Configure with Azure CLI#
To configure registries that pass this rule:
Notes#
The anonymous pull access feature is currently in preview.
Anonymous pull access is only available in the Standard
and Premium
service tiers.
Links#
- Authentication with Azure AD
- Make your container registry content publicly available
- Azure security baseline for Container Registry
- IM-1: Use centralized identity and authentication system
- Azure deployment reference