Secure access to ACR

- [Instructor] There are several Azure container registry security controls available at your disposal. Depending on your risk appetite and security requirements, you may want to implement, one or several of these security controls. The available controls include; authentication and authorization, firewalls, encrypting data at rest, and audit logging. Azure container registry, supports several ways of authentication. Azure active directory identities, are supported in the form of Azure AD users, managed identities for Azure resources, as well as Azure AD Service principles. It's recommended to use Azure AD authentication for users, and managed identities for services whenever possible. Using Azure AD service principles, introduces operational overhead and complexity. As such, they should be avoided, and manage identities should be used instead for service authentication. There's also an option to authenticate as so-called Admin user, a simple username and password combination. Admin user is meant for testing purposes. Using Admin user is not recommended, and it is even disabled by default. When authenticating using Azure AD identities, authorization can be managed, using role-based access control. This allows for managing access to the least privileged. It's important to note that that generic reader row, in fact has quite powerful privileges in Azure container registry. Namely, it has access to pull images from the container registry. It is there for a good idea to place the Azure container registry resource, in a separate resource group, and grant access to it, using resource specific roles. For example, a developer might be granted access using the ACR push role. Azure Kubernetes service, might only require the ACR pull role access. By default, any authorized user can access Azure container registry from any network location. In other words, Azure container registry is available to public internet. To deny public access and only allow access from list of known address ranges, you can turn on the firewall. In the Azure portal, navigate to Networking, Public access, and allow public network access from Selected networks. Next, add the IP addresses or IP address ranges in the field below. Finally, to enable the firewall, click Save on the top of the page. Container registry firewall, also supports managing access through private invoice. But remember, the firewall feature is only available in the premium pricing tier, of container registry. In Azure CLI, the firewall is turned on by the following command, az acr update, name of my container registry, and default-action Deny. Next you can add allowed IP address ranges, with the az acr network-rule add command. Collecting audit logs for Azure container registry, is not enabled by default. To enable log collection, it is easy to use Azure portal. And in the Azure portal and the container registry view, select Monitoring, Diagnostic settings, Add diagnostic setting. You can choose to store your logs, in storage account, or a log analytics workspace. If you will rather store your logs outside of your Azure subscription, such as your centralized logs, you can also select to stream those logs, to Azure event hub. You can integrate Azure event hub, with most security incident and event management solutions. You can choose from two types of events to log; ContainerRegistryLoginEvents, contains authentication events, such as identities and IP addresses. ContainerRegistryRepositoryEvents, contains repository operations, such as push, pull and delete. After giving a name to my diagnostic setting, and clicking Save, I have enabled audit logging from my container registry. To enable audit logging programmatically, using Azure CLI, use the az monitor diagnostic-settings create command. At the time of this recording, the command isn't very user friendly. You need to specify each of the log targets with the long unique resource ID. As with other Azure services, Microsoft automatically encrypts Azure container registry content addressed. This is done using Microsoft managed keys. If you need to, you may also use your own encryption keys to encrypt the data in Azure container registry. To do that, you need to create and manage the keys in Azure Key Vault. Microsoft calls that, encryption with customer managed keys. At the time of this recording, customer managed keys, can only be turned on when creating a new Azure container registry. Keep this in mind when planning your security requirements. And remember, customer managed keys are only available in the premium pricing tier.