Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Promote Azure.ACR.AnonymousAccess to GA #3119 #3204

Merged
merged 1 commit into from
Dec 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions data/policy-ignore.json
Original file line number Diff line number Diff line change
Expand Up @@ -296,5 +296,13 @@
],
"reason": "Duplicate",
"value": "Azure.AppConfig.DisableLocalAuth"
},
{
"policyDefinitionIds": [
"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395",
"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897"
],
"reason": "Duplicate",
"value": "Azure.ACR.AnonymousAccess"
}
]
8 changes: 8 additions & 0 deletions docs/CHANGELOG-v1.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers

## Unreleased

What's changed since v1.40.0:

- Updated rules:
- Container Registry:
- Updated documentation and promoted `Azure.ACR.AnonymousAccess` to GA by @BernieWhite.
[#3119](https://github.com/Azure/PSRule.Rules.Azure/issues/3119)
- Bumped rule set to `2024_12`.

## v1.40.0

What's changed since v1.39.3:
Expand Down
21 changes: 15 additions & 6 deletions docs/en/rules/Azure.ACR.AnonymousAccess.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
reviewed: 2024-12-10
severity: Important
pillar: Security
category: SE:05 Identity and access management
Expand Down Expand Up @@ -37,7 +38,7 @@ For example:
```json
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-08-01-preview",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
Expand Down Expand Up @@ -79,7 +80,7 @@ To deploy registries that pass this rule:
For example:

```bicep
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
name: name
location: location
sku: {
Expand Down Expand Up @@ -112,7 +113,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
}
```

<!-- external:avm avm/res/container-registry/registry:0.5.1 anonymousPullEnabled -->
<!-- external:avm avm/res/container-registry/registry anonymousPullEnabled -->

### Configure with Azure CLI

Expand All @@ -122,13 +123,21 @@ To configure registries that pass this rule:
az acr update -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
```

### Configure with Azure Policy

To address this issue at runtime use the following policies:

- [Container registries should have anonymous authentication disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_AuditDeny.json)
`/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395`.
- [Configure container registries to disable anonymous authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_Modify.json)
`/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897`.

## NOTES

The anonymous pull access feature is currently in preview.
Anonymous pull access is only available in the `Standard` and `Premium` service tiers.

This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users,
for example: You are a software vendor and intend to distribute container images of your software to customers.
This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users.
For example: You are a software vendor and intend to distribute container images of your software to customers.

## LINKS

Expand Down
2 changes: 1 addition & 1 deletion docs/examples/avm/acr.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ param name string
param location string = resourceGroup().location

// An example container registry deployed with Premium SKU.
module registry 'br/public:avm/res/container-registry/registry:0.5.1' = {
module registry 'br/public:avm/res/container-registry/registry:0.6.0' = {
params: {
name: name
location: location
Expand Down
2 changes: 1 addition & 1 deletion src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ metadata:
ref: AZR-000401
tags:
release: preview
ruleSet: 2023_09
ruleSet: 2024_12
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'IM-1'
Expand Down
10 changes: 5 additions & 5 deletions tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2023_12' {
Expand All @@ -227,7 +227,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2024_03' {
Expand All @@ -241,7 +241,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_03' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 8;
$filteredResult.Length | Should -Be 7;
}

It 'With Azure.GA_2024_06' {
Expand All @@ -255,7 +255,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 11;
$filteredResult.Length | Should -Be 10;
}

It 'With Azure.GA_2024_09' {
Expand All @@ -269,7 +269,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 13;
$filteredResult.Length | Should -Be 12;
}
}
}
Loading