-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ACR_NetworkRulesExist_AuditDeny.json
74 lines (74 loc) · 2.46 KB
/
ACR_NetworkRulesExist_AuditDeny.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{
"properties": {
"displayName": "Container registries should not allow unrestricted network access",
"description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "2.0.0",
"category": "Container Registry"
},
"version": "2.0.0",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerRegistry/registries"
},
{
"allOf": [
{
"anyof": [
{
"field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
"exists": "false"
},
{
"field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
"equals": "Allow"
}
]
},
{
"anyof": [
{
"field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
"exists": "false"
},
{
"field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
"equals": "Enabled"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"2.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
"name": "d0793b48-0edc-4296-a390-4c75d1bdfd71"
}