Skip to content

Anonymous pull access#

Security · Container Registry · Rule · Preview · 2023_09 · Important

Disable anonymous pull access.

Description#

Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).

By default, access to pull or push content from an Azure container registry is only available to authenticated users.

Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.

Recommendation#

Consider disabling anonymous pull access in scenarios that require user authentication.

Examples#

Configure with Azure template#

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-08-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "anonymousPullEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

Azure Bicep snippet
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    anonymousPullEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax: br/public:avm/res/container-registry/registry:<version>

Configure with Azure CLI#

To configure registries that pass this rule:

Azure CLI snippet
az acr update  -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false

Notes#

The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the Standard and Premium service tiers.

Comments