Azure ACR admin account is enabled
Description
This policy checks to ensure that the admin account for Azure Container Registry (ACR) is disabled. The admin account is a legacy authentication method and it provides full permissions to the entire ACR. This is a potential security risk as if the admin account credentials are compromised, it can lead to unauthorized access and manipulation of the container images and repositories. Hence, it is recommended to disable the ACR admin account and use individual Azure AD identities for authentication for greater security control.
Code Example
go
resource "azurerm_container_registry" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku = "standard"
admin_enabled = false
}Remediation
Terraform
To fix the policy violation, we need to explicitly disable the admin user in your Azure ACR settings like so:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0644 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_137 |