-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ACR_ExportPolicy_AuditDeny.json
58 lines (58 loc) · 1.75 KB
/
ACR_ExportPolicy_AuditDeny.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
{
"properties": {
"displayName": "Container registries should have exports disabled",
"description": "Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Container Registry"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerRegistry/registries"
},
{
"anyOf": [
{
"field": "Microsoft.ContainerRegistry/registries/policies.exportPolicy.status",
"notEquals": "Disabled"
},
{
"field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
"notEquals": "Disabled"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579",
"name": "524b0254-c285-4903-bee6-bb8126cde579"
}