From 8d993b4d2f014fb13a2e4b22f7619ba5230fc6da Mon Sep 17 00:00:00 2001 From: Bernie White Date: Tue, 10 Dec 2024 02:58:47 +1000 Subject: [PATCH] Promote Azure.ACR.AnonymousAccess to GA #3119 (#3204) --- data/policy-ignore.json | 8 +++++++ docs/CHANGELOG-v1.md | 8 +++++++ docs/en/rules/Azure.ACR.AnonymousAccess.md | 21 +++++++++++++------ docs/examples/avm/acr.bicep | 2 +- .../rules/Azure.ACR.Rule.yaml | 2 +- .../Azure.Baseline.Tests.ps1 | 10 ++++----- 6 files changed, 38 insertions(+), 13 deletions(-) diff --git a/data/policy-ignore.json b/data/policy-ignore.json index 4ba3fb12c55..6a6d26c8ba1 100644 --- a/data/policy-ignore.json +++ b/data/policy-ignore.json @@ -296,5 +296,13 @@ ], "reason": "Duplicate", "value": "Azure.AppConfig.DisableLocalAuth" + }, + { + "policyDefinitionIds": [ + "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897" + ], + "reason": "Duplicate", + "value": "Azure.ACR.AnonymousAccess" } ] diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index 61e035ac95b..e51a7e06537 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -29,6 +29,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased +What's changed since v1.40.0: + +- Updated rules: + - Container Registry: + - Updated documentation and promoted `Azure.ACR.AnonymousAccess` to GA by @BernieWhite. + [#3119](https://github.com/Azure/PSRule.Rules.Azure/issues/3119) + - Bumped rule set to `2024_12`. + ## v1.40.0 What's changed since v1.39.3: diff --git a/docs/en/rules/Azure.ACR.AnonymousAccess.md b/docs/en/rules/Azure.ACR.AnonymousAccess.md index 44ae671935b..2b7ed33451a 100644 --- a/docs/en/rules/Azure.ACR.AnonymousAccess.md +++ b/docs/en/rules/Azure.ACR.AnonymousAccess.md @@ -1,4 +1,5 @@ --- +reviewed: 2024-12-10 severity: Important pillar: Security category: SE:05 Identity and access management @@ -37,7 +38,7 @@ For example: ```json { "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-08-01-preview", + "apiVersion": "2023-11-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -79,7 +80,7 @@ To deploy registries that pass this rule: For example: ```bicep -resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = { +resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = { name: name location: location sku: { @@ -112,7 +113,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = } ``` - + ### Configure with Azure CLI @@ -122,13 +123,21 @@ To configure registries that pass this rule: az acr update -n '' -g '' --anonymous-pull-enabled false ``` +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +- [Container registries should have anonymous authentication disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_AuditDeny.json) + `/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395`. +- [Configure container registries to disable anonymous authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_Modify.json) + `/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897`. + ## NOTES -The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the `Standard` and `Premium` service tiers. -This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users, -for example: You are a software vendor and intend to distribute container images of your software to customers. +This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users. +For example: You are a software vendor and intend to distribute container images of your software to customers. ## LINKS diff --git a/docs/examples/avm/acr.bicep b/docs/examples/avm/acr.bicep index 9e97167a782..e55eab200e1 100644 --- a/docs/examples/avm/acr.bicep +++ b/docs/examples/avm/acr.bicep @@ -12,7 +12,7 @@ param name string param location string = resourceGroup().location // An example container registry deployed with Premium SKU. -module registry 'br/public:avm/res/container-registry/registry:0.5.1' = { +module registry 'br/public:avm/res/container-registry/registry:0.6.0' = { params: { name: name location: location diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index af6dbb5703c..7818c2c7583 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -143,7 +143,7 @@ metadata: ref: AZR-000401 tags: release: preview - ruleSet: 2023_09 + ruleSet: 2024_12 Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: 'IM-1' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 index 1a43d37df2d..3852fcc1000 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 @@ -213,7 +213,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 8; + $filteredResult.Length | Should -Be 7; } It 'With Azure.GA_2023_12' { @@ -227,7 +227,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_12' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 8; + $filteredResult.Length | Should -Be 7; } It 'With Azure.GA_2024_03' { @@ -241,7 +241,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_03' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 8; + $filteredResult.Length | Should -Be 7; } It 'With Azure.GA_2024_06' { @@ -255,7 +255,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_06' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 11; + $filteredResult.Length | Should -Be 10; } It 'With Azure.GA_2024_09' { @@ -269,7 +269,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 13; + $filteredResult.Length | Should -Be 12; } } }