Audit Container Registry access
March 29, 2026 ยท View on GitHub
SYNOPSIS
Ensure container registry audit diagnostic logs are enabled.
DESCRIPTION
Azure Container Registry (ACR) provides diagnostic logs that can be used to monitor and audit access to container images. Enabling audit logs helps you track who accesses your registry and when, which is important for security and compliance.
The following log categories should be enabled:
ContainerRegistryLoginEvents- Captures authentication events to the registry.ContainerRegistryRepositoryEvents- Captures push and pull operations for container images.
Alternatively, you can enable the audit or allLogs category group to capture these and other audit events.
RECOMMENDATION
Consider configuring diagnostic settings to capture container registry audit logs for security investigation.
EXAMPLES
Configure with Azure template
To deploy container registries that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
ContainerRegistryLoginEventsandContainerRegistryRepositoryEventscategories orauditcategory group orallLogscategory group.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"properties": {
"adminUserEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
}
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]",
"name": "logs",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "ContainerRegistryLoginEvents",
"enabled": true
},
{
"category": "ContainerRegistryRepositoryEvents",
"enabled": true
}
]
},
"dependsOn": [
"[parameters('name')]"
]
}
]
}
Configure with Bicep
To deploy container registries that pass this rule:
- Deploy a diagnostic settings sub-resource (extension resource).
- Enable
ContainerRegistryLoginEventsandContainerRegistryRepositoryEventscategories orauditcategory group orallLogscategory group.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
properties: {
adminUserEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
}
}
}
resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'logs'
scope: registry
properties: {
workspaceId: workspaceId
logs: [
{
category: 'ContainerRegistryLoginEvents'
enabled: true
}
{
category: 'ContainerRegistryRepositoryEvents'
enabled: true
}
]
}
}
Alternatively, you can use category groups:
resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'logs'
scope: registry
properties: {
workspaceId: workspaceId
logs: [
{
categoryGroup: 'audit'
enabled: true
}
]
}
}