使用 Azure 原則的 Azure container registry 審核合規性Audit compliance of Azure container registries using Azure Policy

Azure 原則 是 Azure 中的一項服務,可讓您用來建立、指派和管理原則。Azure Policy is a service in Azure that you use to create, assign, and manage policies. 這些原則會對您的資源強制執行不同的規則和效果,讓這些資源能符合公司標準和服務等級協定的規範。These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

本文介紹 Azure Container Registry 的內建原則。This article introduces built-in policies for Azure Container Registry. 使用這些原則來審核新的和現有的登錄以符合規範。Use these policies to audit new and existing registries for compliance.

使用 Azure 原則不會產生任何費用。There are no charges for using Azure Policy.

內建原則定義Built-in policy definitions

下列內建原則定義適用于 Azure Container Registry:The following built-in policy definitions are specific to Azure Container Registry:

名稱Name
(Azure 入口網站)(Azure portal)
描述Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
將容器登錄設定為停用公用網路存取Configure Container registries to disable public network access 停用 Container Registry 資源的公用網路存取,使其無法透過公用網際網路存取。Disable public network access for your Container Registry resource so that it's not accessible over the public internet. 這可能會降低資料洩漏風險。This can reduce data leakage risks. 若要深入瞭解,請參閱 https://aka.ms/acr/portal/public-network https://aka.ms/acr/private-linkLearn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. 修改、停用Modify, Disabled 1.0.01.0.0
使用私人端點設定容器登錄Configure Container registries with private endpoints 私人端點會將您的虛擬網路連線至 Azure 服務,而不需要來源或目的地的公用 IP 位址。Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. 藉由將私人端點對應至 premium container registry 資源,您可以減少資料洩漏風險。By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. 若要深入瞭解,請參閱: https://aka.ms/privateendpointshttps://aka.ms/acr/private-linkLearn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. DeployIfNotExists, DisabledDeployIfNotExists, Disabled 1.0.01.0.0
容器登錄應使用客戶管理的金鑰進行加密Container registries should be encrypted with a customer-managed key 使用客戶自控金鑰來管理登錄內容的待用加密。Use customer-managed keys to manage the encryption at rest of the contents of your registries. 根據預設,資料會使用服務管理的金鑰進行待用加密,但通常需要客戶管理的金鑰才能符合法規合規性標準。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客戶管理的金鑰可讓資料使用您所建立和擁有的 Azure Key Vault 金鑰進行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 您對金鑰生命週期擁有完全的控制權和責任,包括輪替和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 若要深入瞭解,請參閱 https://aka.ms/acr/CMKLearn more at https://aka.ms/acr/CMK. Audit, Deny, DisabledAudit, Deny, Disabled 1.1.21.1.2
容器登錄應具有支援私用連結的 SkuContainer registries should have SKUs that support Private Links Azure Private Link 可讓您將虛擬網路連線到 Azure 服務,而不需要來源或目的地上的公用 IP 位址。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. Private Link 平台會透過 Azure 骨幹網路處理取用者與服務之間的連線。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 藉由將私人端點對應至您的容器登錄,而不是整個服務,資料洩漏風險將會降低。By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. 深入了解:https://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/private-link. Audit, Deny, DisabledAudit, Deny, Disabled 1.0.01.0.0
不應允許不受限制的網路存取Container registries should not allow unrestricted network access 根據預設,Azure 容器登錄會接受任何網路上的主機透過網際網路的連線。Azure container registries by default accept connections over the internet from hosts on any network. 為了保護登錄不受潛在威脅的影響,請只允許來自特定公用 IP 位址或位址範圍的存取。To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. 如果登錄沒有 IP/防火牆規則或已設定的虛擬網路,其會出現在狀況不良的資源中。If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. 在以下位置深入了解 Container Registry 網路規則:https://aka.ms/acr/portal/public-networkhttps://aka.ms/acr/vnetLearn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit, Deny, DisabledAudit, Deny, Disabled 1.1.01.1.0
容器登錄應使用私人連結Container registries should use private link Azure Private Link 可讓您將虛擬網路連線到 Azure 服務,而不需要來源或目的地上的公用 IP 位址。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. Private Link 平台會透過 Azure 骨幹網路處理取用者與服務之間的連線。藉由將私人端點對應至容器登錄而非整個服務,您也會受到保護,而免於遭受資料洩漏風險。The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. 深入了解:https://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/private-link. Audit, DisabledAudit, Disabled 1.0.11.0.1
Container Registry 應該使用虛擬網路服務端點Container Registry should use a virtual network service endpoint 此原則會稽核任何未設定為使用虛擬網路服務端點的 Container Registry。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
應停用容器登錄的公用網路存取Public network access should be disabled for Container registries 停用公用網路存取可確保容器登錄不會在公用網際網路上公開,藉以改善安全性。Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. 建立私人端點可能會限制 container registry 資源的暴露。Creating private endpoints can limit exposure of container registry resources. 若要深入瞭解,請參閱: https://aka.ms/acr/portal/public-networkhttps://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Audit, Deny, DisabledAudit, Deny, Disabled 1.0.01.0.0
應補救 Azure Container Registry 映像中的弱點Vulnerabilities in Azure Container Registry images should be remediated 容器映像弱點評估會掃描您的登錄,以判斷每個推送的容器映像是否有安全性弱點,並公開每個映像的詳細結果 (由 Qualys 提供技術支援)。Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). 解決這些弱點可以大幅改善容器的安全性狀態,並保護容器免於遭受攻擊。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists, DisabledAuditIfNotExists, Disabled 2.0.02.0.0

指派原則Assign policies

注意

指派或更新原則之後,指派需要一些時間才會套用至定義範圍中的資源。After you assign or update a policy, it takes some time for the assignment to be applied to resources in the defined scope. 請參閱 原則評估觸發程式的相關資訊。See information about policy evaluation triggers.

檢查原則合規性Review policy compliance

使用 Azure 入口網站、Azure 命令列工具或 Azure 原則 Sdk 來存取原則指派所產生的相容性資訊。Access compliance information generated by your policy assignments using the Azure portal, Azure command-line tools, or the Azure Policy SDKs. 如需詳細資訊,請參閱 取得 Azure 資源的合規性資料For details, see Get compliance data of Azure resources.

如果資源不符合規範,有許多可能的原因。When a resource is non-compliant, there are many possible reasons. 若要判斷原因或尋找所需的變更,請參閱 判斷不符合規範To determine the reason or to find the change responsible, see Determine non-compliance.

入口網站中的原則合規性:Policy compliance in the portal:

  1. 選取 [ 所有服務],並搜尋 原則Select All services, and search for Policy.

  2. 選取 [ 符合]。Select Compliance.

  3. 使用篩選準則來限制合規性狀態或搜尋原則。Use the filters to limit compliance states or to search for policies.

    入口網站中的原則合規性

  4. 選取原則以查看匯總合規性詳細資料和事件。Select a policy to review aggregate compliance details and events. 如有需要,請選取特定的登錄以符合資源合規性。If desired, then select a specific registry for resource compliance.

Azure CLI 中的原則合規性Policy compliance in the Azure CLI

您也可以使用 Azure CLI 來取得合規性資料。You can also use the Azure CLI to get compliance data. 例如,使用 CLI 中的 az policy 指派清單 命令,取得所套用 Azure Container Registry 原則的原則識別碼:For example, use the az policy assignment list command in the CLI to get the policy IDs of the Azure Container Registry policies that are applied:

az policy assignment list --query "[?contains(displayName,'Container Registries')].{name:displayName, ID:id}" --output table

範例輸出:Sample output:

Name                                                                                   ID
-------------------------------------------------------------------------------------  --------------------------------------------------------------------------------------------------------------------------------
Container Registries should not allow unrestricted network access           /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/b4faf132dc344b84ba68a441
Container Registries should be encrypted with a Customer-Managed Key (CMK)  /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/cce1ed4f38a147ad994ab60a

然後執行 az policy state list ,以針對特定原則識別碼下的所有資源傳回 JSON 格式的合規性狀態:Then run az policy state list to return the JSON-formatted compliance state for all resources under a specific policy ID:

az policy state list \
  --resource <policyID>

或執行 az policy state list ,以傳回特定登錄資源的 JSON 格式合規性狀態,例如 myregistryOr run az policy state list to return the JSON-formatted compliance state of a specific registry resource, such as myregistry:

az policy state list \
 --resource myregistry \
 --namespace Microsoft.ContainerRegistry \
 --resource-type registries \
 --resource-group myresourcegroup

下一步Next steps