diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index ab1d7ab3a5..acb2abbf7c 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update Azure App Service service metadata to new format [(#9613)](https://github.com/prowler-cloud/prowler/pull/9613) - Update Azure Application Insights service metadata to new format [(#9614)](https://github.com/prowler-cloud/prowler/pull/9614) +- Update Azure Container Registry service metadata to new format [(#9615)](https://github.com/prowler-cloud/prowler/pull/9615) --- diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json b/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json index f16beee83d..6eed413886 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json +++ b/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json @@ -1,30 +1,36 @@ { "Provider": "azure", "CheckID": "containerregistry_admin_user_disabled", - "CheckTitle": "Ensure admin user is disabled for Azure Container Registry", + "CheckTitle": "Container Registry admin user is disabled", "CheckType": [], "ServiceName": "containerregistry", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "ContainerRegistry", + "ResourceType": "microsoft.containerregistry/registries", "ResourceGroup": "container", - "Description": "Ensure that the admin user is disabled and Role-Based Access Control (RBAC) is used instead since it could grant unrestricted access to the registry", - "Risk": "If the admin user is enabled, it may lead to unauthorized access to the container registry and its resources, which could compromise the confidentiality, integrity, and availability of the images stored within.", - "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account", + "Description": "**Azure Container Registry** admin account configuration, confirming the built-in **admin user** is disabled so access relies on Microsoft Entra-based **RBAC** identities and scoped roles.", + "Risk": "Using a shared, always-valid **admin credential** grants full push/pull and lacks attribution. Compromise enables unauthorized image pulls (confidentiality), malicious pushes or tag changes (integrity), and deletions or lockout (availability), enabling supply-chain attacks and lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account" + ], "Remediation": { "Code": { "CLI": "az acr update --name --resource-group --admin-enabled false", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "NativeIaC": "```bicep\n// Azure Container Registry with admin user disabled\nresource acr 'Microsoft.ContainerRegistry/registries@2025-11-01' = {\n name: ''\n location: ''\n sku: {\n name: ''\n }\n properties: {\n adminUserEnabled: false // Critical: disables the admin user to pass the check\n }\n}\n```", + "Other": "1. In Azure Portal, go to Container registries and select your registry\n2. Under Settings, open Access keys\n3. Set Admin user to Disabled\n4. Click Save", + "Terraform": "```hcl\nresource \"azurerm_container_registry\" \"example\" {\n name = \"\"\n resource_group_name = \"\"\n location = \"\"\n sku = \"\"\n\n admin_enabled = false # Critical: disables ACR admin user to pass the check\n}\n```" }, "Recommendation": { - "Text": "Disable the admin user on Azure Container Registry through the Azure Portal: 1. Navigate to your Container Registry. 2. In the settings, select 'Access keys'. 3. Ensure the 'Admin user' checkbox is not ticked. For all actions relying on registry access, switch to using Role-Based Access Control.", - "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account" + "Text": "Disable the **admin account** and require Microsoft Entra-backed **RBAC**. Assign least-privilege roles to users, service principals, or managed identities. Prefer short-lived credentials, rotate any residual secrets, and apply defense-in-depth with network restrictions and continuous auditing of registry access.", + "Url": "https://hub.prowler.com/check/containerregistry_admin_user_disabled" } }, - "Categories": [], + "Categories": [ + "identity-access", + "secrets" + ], "DependsOn": [], "RelatedTo": [], "Notes": "The transition away from using the admin user to RBAC will facilitate a more secure and manageable access model, minimizing the potential risk of unauthorized access to your container images." diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json index cc2c094333..dc218f983d 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json +++ b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json @@ -1,30 +1,36 @@ { "Provider": "azure", "CheckID": "containerregistry_not_publicly_accessible", - "CheckTitle": "Restrict public network access to the Container Registry", + "CheckTitle": "Container Registry public network access is disabled", "CheckType": [], "ServiceName": "containerregistry", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "ContainerRegistry", + "ResourceType": "microsoft.containerregistry/registries", "ResourceGroup": "container", - "Description": "Ensure that public network access to the Azure Container Registry is restricted.", - "Risk": "Public accessibility exposes the Container Registry to potential attacks, unauthorized usage, and data breaches. Restricting access minimizes the surface area for attacks and ensures that only authorized networks can access the registry.", - "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks", + "Description": "**Azure Container Registry** configuration indicates whether the registry permits **unrestricted public access** based on the `Public network access` setting.", + "Risk": "**Internet-exposed ACR** expands attack paths impacting **CIA**:\n- Confidentiality: unauthorized image pulls leak code/secrets\n- Integrity: compromised creds allow tampered image pushes (supply-chain)\n- Availability: pull storms or scans exhaust quotas, causing outages and cost spikes", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ContainerRegistry/disable-public-access.html", + "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks" + ], "Remediation": { "Code": { - "CLI": "az acr update --name --default-action Deny", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "az acr update --name --public-network-enabled false", + "NativeIaC": "```bicep\n// Azure Container Registry with public network access disabled\nresource 'Microsoft.ContainerRegistry/registries@2025-11-01' = {\n name: ''\n location: ''\n sku: {\n name: 'Basic'\n }\n properties: {\n publicNetworkAccess: 'Disabled' // Critical: disables the public endpoint to prevent unrestricted access\n }\n}\n```", + "Other": "1. In the Azure portal, go to your Container Registry\n2. Select Settings > Networking\n3. On Public access, set Allow public network access to Disabled\n4. Click Save", + "Terraform": "```hcl\nresource \"azurerm_container_registry\" \"\" {\n name = \"\"\n resource_group_name = \"\"\n location = \"\"\n sku = \"Basic\"\n\n public_network_access_enabled = false # Critical: disables public endpoint to block unrestricted access\n}\n```" }, "Recommendation": { - "Text": "Ensure that the necessary virtual network configurations or IP rules are in place to allow access from required services once public access is restricted. Review the network access settings regularly to maintain a secure environment. To restrict public network access to your Azure Container Registry: 1. Navigate to your Container Registry in the Azure Portal. 2. Under 'Settings'->'Networking', configure the 'Public network access' settings to 'Disabled'. 3. Set up virtual network service endpoints or private endpoints as needed for secure access. 4. Review and adjust IP access rules as necessary.", - "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks" + "Text": "Set `Public network access` to `Disabled` and use **Private Link** for registry access.\n\nIf public reachability is required, allow only **selected IPs**, enforce **least privilege** and token rotation, and apply **defense in depth** (egress control, network segmentation, logging of push/pull events).", + "Url": "https://hub.prowler.com/check/containerregistry_not_publicly_accessible" } }, - "Categories": [], + "Categories": [ + "internet-exposed" + ], "DependsOn": [], "RelatedTo": [], "Notes": "This feature is only available for Premium SKU registries." diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json b/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json index ad180581b6..df1999964b 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json +++ b/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json @@ -1,30 +1,38 @@ { "Provider": "azure", "CheckID": "containerregistry_uses_private_link", - "CheckTitle": "Ensure to use a private link for accessing the Azure Container Registry", + "CheckTitle": "Container Registry uses a private endpoint (Private Link)", "CheckType": [], "ServiceName": "containerregistry", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "ContainerRegistry", + "Severity": "high", + "ResourceType": "microsoft.containerregistry/registries", "ResourceGroup": "container", - "Description": "Ensure that a private link is used for accessing the Azure Container Registry to enhance security and restrict access to the registry over the public internet.", - "Risk": "Without using a private link, the Azure Container Registry may be exposed to the public internet, increasing the risk of unauthorized access and potential data breaches.", - "RelatedUrl": "https://learn.microsoft.com/en-us/azure/private-link/private-link-overview", + "Description": "**Azure Container Registry** access via **Private Endpoints** (Azure Private Link). Registries with `private endpoint connections` use private IPs; others rely on the public endpoint.", + "Risk": "Publicly reachable registries expand attack surface for **credential stuffing**, token abuse, and scanning. A compromise enables unauthorized pull/push, causing image **data leakage** and **supply-chain tampering**. Public routing weakens network isolation, impacting the **confidentiality** and **integrity** of images and metadata.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/azure/private-link/private-link-overview", + "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-vnet", + "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link" + ], "Remediation": { "Code": { - "CLI": "az network private-endpoint create --connection-name --resource-group --name --private-connection-resource-id --vnet-name --subnet --group-ids registry", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "az network private-endpoint create --resource-group --name --vnet-name --subnet --private-connection-resource-id --group-ids registry --connection-name ", + "NativeIaC": "```bicep\n// Create a Private Endpoint to ACR\nresource privateEndpoint 'Microsoft.Network/privateEndpoints@2025-05-01' = {\n name: ''\n location: resourceGroup().location\n properties: {\n subnet: {\n id: ''\n }\n privateLinkServiceConnections: [\n {\n name: ''\n properties: {\n privateLinkServiceId: '' // Critical: ACR resource ID to connect\n groupIds: ['registry'] // Critical: Target the 'registry' subresource to enable Private Link\n }\n }\n ]\n }\n}\n```", + "Other": "1. In Azure Portal, go to Container registries > select your registry\n2. Navigate to Settings > Networking > Private endpoints tab\n3. Click + Private endpoint, enter a name, select your VNet and Subnet\n4. Set Resource type to Microsoft.ContainerRegistry/registries and Target subresource to registry\n5. Click Review + create, then Create", + "Terraform": "```hcl\nresource \"azurerm_private_endpoint\" \"\" {\n name = \"\"\n location = \"\"\n resource_group_name = \"\"\n subnet_id = \"\"\n\n private_service_connection {\n name = \"\"\n private_connection_resource_id = \"\" # Critical: ACR resource ID\n subresource_names = [\"registry\"] # Critical: Target 'registry' subresource to enable Private Link\n }\n}\n```" }, "Recommendation": { - "Text": "Create a private link for Azure Container Registry through the Azure Portal: 1. Navigate to your Container Registry. 2. In the settings, select 'Networking'. 3. Select 'Private access'. 4. Configure a private endpoint for the registry.", - "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link" + "Text": "Use **Private Link** with **private endpoints** and set `Public network access: Disabled`.\n- Restrict access to trusted VNets/subnets\n- Prefer private endpoints over service endpoints\n- Enforce **least privilege** on registry actions\n- Configure private DNS for the registry FQDN\n- Monitor access logs for **defense in depth**", + "Url": "https://hub.prowler.com/check/containerregistry_uses_private_link" } }, - "Categories": [], + "Categories": [ + "internet-exposed", + "trust-boundaries" + ], "DependsOn": [], "RelatedTo": [], "Notes": "This feature is only available for Premium SKU registries."