Framework/Configurations/SVT/Services/ContainerInstances.json
|
{
"FeatureName": "ContainerInstances", "Reference": "aka.ms/azsktcp/containerinstances", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ContainerInstances_NetSec_Justify_PublicIP_and_Ports", "Description": "Use of public IP address and ports should be carefully reviewed", "Id": "ContainerInstances110", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckPublicIPAndPorts", "Rationale": "Public IP address provides direct access over the internet exposing the container to all type of attacks over the public network.", "Recommendation": "Add public IP address and ports to a container only as required. Ensure that the resulting data flows are carefully reviewed.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ContainerInstances" ] }, { "ControlID": "Azure_ContainerInstances_SI_Review_Image", "Description": "Make sure container images (including nested images) are from a trustworthy source", "Id": "ContainerInstances120", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckContainerImage", "Rationale": "If a container runs an untrusted image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.", "Recommendation": "Ensure that the image source(s) for the image comprising the container are trustworthy. Review image configurations carefully for any misconfigurations.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ContainerInstances" ] }, { "ControlID": "Azure_ContainerInstances_DP_Review_Registry", "Description": "Make sure container images are hosted on a trustworthy registry that has strong authentication, authorization and data protection mechanisms", "Id": "ContainerInstances130", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckRegistry", "Rationale": "If a container image is served from an untrusted registry, the image itself may not be trustworthy. Running such a compromised image can lead to loss of sensitive enterprise data.", "Recommendation": "Ensure that the registry, which hosts the image, is trustworthy. Review registry configurations carefully for any misconfigurations related to authentication, authorization, etc. ", "Tags": [ "SDL", "TCP", "Automated", "DP", "ContainerInstances" ] }, { "ControlID": "Azure_ContainerInstances_AuthZ_Container_Segregation", "Description": "A container group must contain only containers which trust each other", "Id": "ContainerInstances140", "ControlSeverity": "High", "Enabled": true, "Automated": "Yes", "MethodName": "CheckContainerTrust", "Rationale": "Containers hosted in the same container group can monitor traffic of other containers within the group and can also access the file system of the host OS. Hence a container group must not host containers which do not trust each other. In other words, do not mix containers across trust boundaries in the same group.", "Recommendation": "Carefully review the role and privileges required by each container in a container group. If the privilege levels and access requirements are different, then consider segregating the containers into separate groups.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ContainerInstances" ] } ] } |