Skip to content

Commit

Permalink
Promote Azure.ACR.AnonymousAccess to GA #3119
Browse files Browse the repository at this point in the history
  • Loading branch information
BernieWhite committed Dec 9, 2024
1 parent faf7b2d commit d239216
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 13 deletions.
8 changes: 8 additions & 0 deletions data/policy-ignore.json
Original file line number Diff line number Diff line change
Expand Up @@ -296,5 +296,13 @@
],
"reason": "Duplicate",
"value": "Azure.AppConfig.DisableLocalAuth"
},
{
"policyDefinitionIds": [
"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395",
"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897"
],
"reason": "Duplicate",
"value": "Azure.ACR.AnonymousAccess"
}
]
8 changes: 8 additions & 0 deletions docs/CHANGELOG-v1.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers

## Unreleased

What's changed since v1.40.0:

- Updated rules:
- Container Registry:
- Updated documentation and promoted `Azure.ACR.AnonymousAccess` to GA by @BernieWhite.
[#3119](https://github.com/Azure/PSRule.Rules.Azure/issues/3119)
- Bumped rule set to `2024_12`.

## v1.40.0

What's changed since v1.39.3:
Expand Down
21 changes: 15 additions & 6 deletions docs/en/rules/Azure.ACR.AnonymousAccess.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
reviewed: 2024-12-10
severity: Important
pillar: Security
category: SE:05 Identity and access management
Expand Down Expand Up @@ -37,7 +38,7 @@ For example:
```json
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-08-01-preview",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
Expand Down Expand Up @@ -79,7 +80,7 @@ To deploy registries that pass this rule:
For example:

```bicep
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
name: name
location: location
sku: {
Expand Down Expand Up @@ -112,7 +113,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
}
```

<!-- external:avm avm/res/container-registry/registry:0.5.1 anonymousPullEnabled -->
<!-- external:avm avm/res/container-registry/registry anonymousPullEnabled -->

### Configure with Azure CLI

Expand All @@ -122,13 +123,21 @@ To configure registries that pass this rule:
az acr update -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
```

### Configure with Azure Policy

To address this issue at runtime use the following policies:

- [Container registries should have anonymous authentication disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_AuditDeny.json)
`/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395`.
- [Configure container registries to disable anonymous authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_Modify.json)
`/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897`.

## NOTES

The anonymous pull access feature is currently in preview.
Anonymous pull access is only available in the `Standard` and `Premium` service tiers.

This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users,
for example: You are a software vendor and intend to distribute container images of your software to customers.
This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users.
For example: You are a software vendor and intend to distribute container images of your software to customers.

## LINKS

Expand Down
2 changes: 1 addition & 1 deletion docs/examples/avm/acr.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ param name string
param location string = resourceGroup().location

// An example container registry deployed with Premium SKU.
module registry 'br/public:avm/res/container-registry/registry:0.5.1' = {
module registry 'br/public:avm/res/container-registry/registry:0.6.0' = {
params: {
name: name
location: location
Expand Down
2 changes: 1 addition & 1 deletion src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ metadata:
ref: AZR-000401
tags:
release: preview
ruleSet: 2023_09
ruleSet: 2024_12
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'IM-1'
Expand Down
10 changes: 5 additions & 5 deletions tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2023_12' {
Expand All @@ -227,7 +227,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2024_03' {
Expand All @@ -241,7 +241,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_03' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2024_06' {
Expand All @@ -255,7 +255,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 11;
$filteredResult.Length | Should -Be 10;
}

It 'With Azure.GA_2024_09' {
Expand All @@ -269,7 +269,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 13;
$filteredResult.Length | Should -Be 12;
}
}
}

0 comments on commit d239216

Please sign in to comment.