-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ACR_TokenDisabled_AuditDeny.json
50 lines (50 loc) · 1.61 KB
/
ACR_TokenDisabled_AuditDeny.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
"properties": {
"displayName": "Container registries should have repository scoped access token disabled.",
"description": "Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.",
"policyType": "BuiltIn",
"mode": "All",
"metadata": {
"version": "1.0.0",
"category": "Container Registry"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerRegistry/registries/tokens"
},
{
"field": "Microsoft.ContainerRegistry/registries/tokens/status",
"notequals": "disabled"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366",
"name": "ff05e24e-195c-447e-b322-5e90c9f9f366"
}