Container Registry anonymous pull access is enabled
March 21, 2025 ยท View on GitHub
SYNOPSIS
Anonymous pull access allows unidentified downloading of images and metadata from a container registry.
DESCRIPTION
By default, Azure Container Registry (ACR) requires you to be authorized before you push or pull content from the registry. When anonymous pull access is enabled:
- Any client with network access can pull content from the entire registry without authorization.
- Repository-scoped tokens can not be used to limit pull access, tokens will be able to pull all content.
RECOMMENDATION
Consider disabling anonymous pull access in scenarios that require user authentication.
EXAMPLES
Configure with Azure template
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabledproperty tofalse.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
}
}
}
}
Configure with Bicep
To deploy registries that pass this rule:
- Set the
properties.anonymousPullEnabledproperty tofalse.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
}
}
}
Configure with Azure CLI
To configure registries that pass this rule:
az acr update -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Container registries should have anonymous authentication disabled
/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395. - Configure container registries to disable anonymous authentication
/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897.
NOTES
Anonymous pull access is only available in the Standard and Premium service tiers.
This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users. For example: You are a software vendor and intend to distribute container images of your software to customers.