Azure Microsoft Defender for Cloud is set to Off for Container Registries
Description
Azure Defender is a cloud workload protection service that utilizes and agent-based deployment to analyze signals from Azure network fabric and the service control plane, to detect threats across all Azure resources. It can also analyze non-Azure resources, utilizing Azure Arc, including those on-premises and in both AWS and GCP (once they've been onboarded). Azure Defender for container registries includes a vulnerability scanner to scan the images in Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility image vulnerabilities.
Code Example
go
resource "azurerm_security_center_subscription_pricing" "example" {
tier = "Standard"
resource_type = "AppServices,ContainerRegistry,KeyVaults,KubernetesService,SqlServers,SqlServerVirtualMachines,StorageAccounts,VirtualMachines,ARM,DNS"
}Remediation
Terraform
- Resource: azurerm_security_center_subscription_pricing
- Arguments: resource_type - (Required) The resource type this setting affects.
Ensure that `ContainerRegistry` is declared to pass this check.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0594 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_86 |