Policy Templates for ACR
Azure Container Registry (ACR)
Policy Templates for Container Security are used with Microsoft Azure Container Registry (ACR).
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates.
| Policy Name | Resource | Benchmark | PCI DSS | HIPAA | NIST 800-53 | Policy Description |
|---|---|---|---|---|---|---|
| ACR: Image Registry should not have more than 200 repositories | ACR | Yes | SC-6, Resource Availability | Image registry should have a limit on number of respositories | ||
| ACR: Repositories should not be exposed to everyone/ publicly for push actions | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Repository policy push actions should be avoided | ||
| ACR: Repositories should not be exposed to everyone/ publicly for pull actions | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Repository policy pull actions should be avoided | ||
| ACR: Repositories should not be exposed to everyone/ publicly for delete actions | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Repository policy delete actions should be avoided | ||
| ACR: Image tag immutability should be set correctly for repository | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Image Tag Immutability should be set correctly for the repository | ||
| ACR: Container Registries must not allow unrestricted network access | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Azure container registries by default accept connections over the internet from hosts to any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses, or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. |