last sync: 2020-Jul-10 14:05:01 UTC

Azure Policy

Container Registries should not allow unrestricted network access

Policy DisplayName Container Registries should not allow unrestricted network access
Policy Id d0793b48-0edc-4296-a390-4c75d1bdfd71
Policy Category Container Registry
Policy Description Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-02-12 02:52:44 add: Policy d0793b48-0edc-4296-a390-4c75d1bdfd71
2020-05-29 15:39:09 change: DisplayName previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Container Registries should not allow unrestricted network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "anyof": [
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "equals": "Allow"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d0793b48-0edc-4296-a390-4c75d1bdfd71"
}