Audit Container Registry access

Security · Container Registry · Rule · 2026_06 · Important

Ensure container registry audit diagnostic logs are enabled.

Description

Azure Container Registry (ACR) provides diagnostic logs that can be used to monitor and audit access to container images. Enabling audit logs helps you track who accesses your registry and when, which is important for security and compliance.

The following log categories should be enabled:

• ContainerRegistryLoginEvents - Captures authentication events to the registry.
• ContainerRegistryRepositoryEvents - Captures push and pull operations for container images.

Alternatively, you can enable the audit or allLogs category group to capture these and other audit events.

Recommendation

Consider configuring diagnostic settings to capture container registry audit logs for security investigation.

Examples

Configure with Azure template

To deploy container registries that pass this rule:

• Deploy a diagnostic settings sub-resource (extension resource).
• Enable ContainerRegistryLoginEvents and ContainerRegistryRepositoryEvents categories or audit category group or allLogs category group.

For example:

Azure Template snippet

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2021-05-01-preview",
      "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]",
      "name": "logs",
      "properties": {
        "workspaceId": "[parameters('workspaceId')]",
        "logs": [
          {
            "category": "ContainerRegistryLoginEvents",
            "enabled": true
          },
          {
            "category": "ContainerRegistryRepositoryEvents",
            "enabled": true
          }
        ]
      },
      "dependsOn": [
        "[parameters('name')]"
      ]
    }
  ]
}

Configure with Bicep

To deploy container registries that pass this rule:

• Deploy a diagnostic settings sub-resource (extension resource).
• Enable ContainerRegistryLoginEvents and ContainerRegistryRepositoryEvents categories or audit category group or allLogs category group.

For example:

Azure Bicep snippet

resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
    }
  }
}

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: registry
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'ContainerRegistryLoginEvents'
        enabled: true
      }
      {
        category: 'ContainerRegistryRepositoryEvents'
        enabled: true
      }
    ]
  }
}

Alternatively, you can use category groups:

Azure Bicep snippet

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: registry
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        categoryGroup: 'audit'
        enabled: true
      }
    ]
  }
}

Links

• SE:10 Monitoring and threat detection
• LT-4: Enable logging for security investigation
• Monitor Azure Container Registry
• Container Registry resource logs
• Azure deployment reference

Comments