| title | description | ms.topic | ms.date |
|---|---|---|---|
Compliance using Azure Policy |
Assign built-in policy definitions in Azure Policy to audit compliance of your Azure container registries |
article |
08/10/2021 |
Azure Policy is a service in Azure that you use to create, assign, and manage policy definitions. These policy definitions enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
This article introduces built-in policy definitions for Azure Container Registry. Use these definitions to audit new and existing registries for compliance.
There is no charge for using Azure Policy.
The following built-in policy definitions are specific to Azure Container Registry:
[!INCLUDE azure-policy-reference-rp-containerreg]
- Create policy assignments using the Azure portal, Azure CLI, a Resource Manager template, or the Azure Policy SDKs.
- Scope a policy assignment to a resource group, a subscription, or an Azure management group. Container registry policy assignments apply to existing and new container registries within the scope.
- Enable or disable policy enforcement at any time.
Note
After you create or update a policy assignment, it takes some time for the assignment to evaluate resources in the defined scope. See information about policy evaluation triggers.
Access compliance information generated by your policy assignments using the Azure portal, Azure command-line tools, or the Azure Policy SDKs. For details, see Get compliance data of Azure resources.
When a resource is non-compliant, there are many possible reasons. To determine the reason or to find the change responsible, see Determine non-compliance.
-
Select All services, and search for Policy.
-
Select Compliance.
-
Use the filters to limit compliance states or to search for policies.
-
Select a policy to review aggregate compliance details and events. If desired, then select a specific registry for resource compliance.
You can also use the Azure CLI to get compliance data. For example, use the az policy assignment list command in the CLI to get the policy IDs of the Azure Container Registry policies that are applied:
az policy assignment list --query "[?contains(displayName,'Container Registries')].{name:displayName, ID:id}" --output table
Sample output:
Name ID
------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------
Container Registries should not allow unrestricted network access /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/b4faf132dc344b84ba68a441
Container Registries should be encrypted with a Customer-Managed Key (CMK) /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/cce1ed4f38a147ad994ab60a
Then run az policy state list to return the JSON-formatted compliance state for all resources under a specific policy ID:
az policy state list \
--resource <policyID>
Or run az policy state list to return the JSON-formatted compliance state of a specific registry resource, such as myregistry:
az policy state list \
--resource myregistry \
--namespace Microsoft.ContainerRegistry \
--resource-type registries \
--resource-group myresourcegroup
-
Learn more about Azure Policy definitions and effects.
-
Create a custom policy definition.
-
Learn more about governance capabilities in Azure.