Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Trusted Microsoft Service Access for Container Registries

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Make sure that trusted Microsoft services have network access to your Microsoft Azure container registries. To securely connect to your network-restricted registries, enable the **Allow trusted Microsoft services to access this container registry** option in the registry's firewall settings.

Security

Enabling network firewall rules for your Azure container registries will block incoming data requests, including those from other Microsoft Azure services. To allow these services to function properly and access your registries, you must add an exception that allows trusted Microsoft Azure services to bypass your network rules. When the Allow trusted Microsoft services to access this container registry exception is enabled, a trusted service instance can securely bypass the registry's network firewall rules and perform operations such as pulling or pushing images.


Audit

To determine if trusted Microsoft services are allowed to access your network-restricted container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.

07 Select the Public access tab and check the Public network access configuration setting to determine the level of access configured for the selected container registry. If Public network access is set to All networks, the selected Azure container registry is not network-restricted, therefore, the Audit process ends here. If Public network access is set to Selected networks or Disabled, continue the Audit process with the next step.

08 In the Firewall exception section, check the Allow trusted Microsoft services to access this container registry setting checkbox to determine if trusted Microsoft service access is enabled for the selected registry. If the setting checkbox is unchecked, trusted Microsoft services are not allowed to access your network-restricted container registry.

09 Repeat steps no. 5 – 8 for each Azure container registry available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure container registry available in the current subscription:

az acr list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested container registry identifiers:

Name                        ResourceGroup
-------------------------   ------------------------------
Project5ContainerRegistry   cloud-shell-storage-westeurope
DevAIContainerRegistry      cloud-shell-storage-westeurope

03 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine the level of access configured for the selected container registry:

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'

04 The command output should return the status of the default network access rule used by the selected registry (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting configured for the registry:

{
	"networkRuleSet": "Deny",
	"publicNetworkAccess": "Disabled"
}

If the acr show command output returns "Allow" or null for "networkRuleSet" and "Enabled" for "publicNetworkAccess", the selected Azure container registry is not network-restricted, therefore, the Audit process ends here. If the command output returns "Deny" for "networkRuleSet" and "Enabled"/"Disabled" for "publicNetworkAccess", as shown in the example above, continue the Audit process with the next step.

05 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter, to describe the configuration status of the Allow trusted Microsoft services to access this container registry option:

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query 'networkRuleBypassOptions'

06 The command output should return the requested configuration option status:

"None"

If the acr show command output returns "None", as shown in the example above, trusted Microsoft services will not be able to access your network-restricted container registry.

07 Repeat steps no. 3 and 4 for each Azure container registry available in the selected Azure subscription.

08 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that trusted Microsoft services are allowed to access your network-restricted container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to configure.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.

07 Select the Public access tab, check the Allow trusted Microsoft services to access this container registry setting checkbox available under Firewall exception, and choose Save to allow trusted Microsoft services to access your network-restricted container registry. The setting checkbox is available only for network-restricted container registries, i.e. when Public network access is set to Selected networks or Disabled.

08 Repeat steps no. 5 - 7 for each Azure container registry that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr update command (Windows/macOS/Linux) with the name of the Azure container registry that you want to configure as the identifier parameter, to allow trusted Microsoft services to access your network-restricted container registry. To enable the Allow trusted Microsoft services to access this container registry option for your registry, set --allow-trusted-services to true. This option can be enabled only for network-restricted container registries (i.e. when "networkRuleSet" is set to "Deny" and "publicNetworkAccess" to "Enabled"/"Disabled"):

az acr update
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --allow-trusted-services true

02 The command output should return the information available for the configured container registry:

{
	"adminUserEnabled": false,
	"anonymousPullEnabled": false,
	"creationDate": "2024-10-17T09:43:08.383725+00:00",
	"dataEndpointEnabled": false,
	"dataEndpointHostNames": [],
	"encryption": {
		"keyVaultProperties": null,
		"status": "disabled"
	},
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
	"identity": null,
	"location": "westeurope",
	"loginServer": "project5containerregistry.azurecr.io",
	"metadataSearch": "Disabled",
	"name": "Project5ContainerRegistry",
	"networkRuleBypassOptions": "AzureServices",
	"networkRuleSet": {
		"defaultAction": "Deny",
		"ipRules": []
	},
	"policies": {
		"azureAdAuthenticationAsArmPolicy": {
			"status": "enabled"
		},
		"exportPolicy": {
			"status": "enabled"
		},
		"quarantinePolicy": {
			"status": "disabled"
		},
		"retentionPolicy": {
			"days": 7,
			"lastUpdatedTime": "2024-10-17T09:43:08.383725+00:00",
			"status": "disabled"
		},
		"softDeletePolicy": {
			"lastUpdatedTime": "2024-10-17T09:43:08.383725+00:00",
			"retentionDays": 7,
			"status": "disabled"
		},
		"trustPolicy": {
			"status": "disabled",
			"type": "Notary"
		}
	},
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium",
		"tier": "Premium"
	},
	"status": null,
	"tags": {},
	"type": "Microsoft.ContainerRegistry/registries",
	"zoneRedundancy": "Disabled"
}

03 Repeat steps no. 1 and 2 for each Azure container registry that you want to configure, available in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2024