-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ACR_AADAuthenticationAsArmPolicy_AuditDeny.json
62 lines (62 loc) · 2.08 KB
/
ACR_AADAuthenticationAsArmPolicy_AuditDeny.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{
"properties": {
"displayName": "Container registries should have ARM audience token authentication disabled.",
"description": "Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Container Registry"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerRegistry/registries"
},
{
"anyOf": [
{
"field": "Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy",
"exists": false
},
{
"field": "Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status",
"exists": false
},
{
"field": "Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status",
"equals": "enabled"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3",
"name": "42781ec6-6127-4c30-bdfa-fb423a0047d3"
}