Beta - Azure Container Registry With Broad Permissions
- Query id: 77deea6a-155e-4865-bf04-153d23e488e8
- Query name: Beta - Azure Container Registry With Broad Permissions
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 732
- Risk score: 6.0
- URL: Github
Description¶
Azure Container Registry resources should only have 'read' permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_container_registry" "sample" {
name = "exampleacr123"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Basic"
admin_enabled = false
}
resource "azurerm_role_assignment" "positive1" {
principal_id = azurerm_kubernetes_cluster.sample.object_id
role_definition_name = "AcrPush"
scope = azurerm_container_registry.sample.id
}
resource "azurerm_role_assignment" "positive2" {
principal_id = azurerm_kubernetes_cluster.sample.object_id
role_definition_id = "8311e382-0749-4cb8-b61a-304f252e45ec" # id for AcrPush
scope = azurerm_container_registry.sample.id
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_container_registry" "sample" {
name = "exampleacr123"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Basic"
admin_enabled = false
}
resource "azurerm_role_assignment" "negative1" {
principal_id = azurerm_kubernetes_cluster.sample.object_id
role_definition_name = "AcrPull"
scope = azurerm_container_registry.sample.id
}
resource "azurerm_role_assignment" "negative2" {
principal_id = azurerm_kubernetes_cluster.sample.object_id
role_definition_id = "7f951dda-4ed3-4680-a7ca-43fe172d538d" # id for ArcPull
scope = azurerm_container_registry.sample.id
}