Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable ARM Audience Token Authentication for Container Registries

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Disable Azure Resource Manager (ARM) audience token authentication for your Microsoft Azure container registries in order to enhance security by restricting token usage to only those specifically scoped for Azure Container Registry (ACR), reducing the risk of unauthorized access.

Security

Azure AD Tokens play a critical role in the authentication process for registry users interacting with Azure Container Registry (ACR). Typically, ACR accepts Azure AD Tokens that have an audience scope designated for Azure Resource Manager (ARM), which functions as a control plane management layer for overseeing Azure resources. However, by opting to disable the use of ARM Audience Tokens and instead enforcing ACR Audience Tokens, you can significantly improve the security of your container registries during authentication. This security enhancement is achieved by limiting the range of accepted tokens to those with a specific audience scope tailored for ACR. When ACR Audience Token enforcement is enabled, only Azure AD Tokens with an audience scope explicitly set for ACR will be recognized and permitted during the registry authentication and sign-in process. As a result, ARM Audience Tokens, which were previously valid for registry authentication, will no longer be accepted, thereby providing an added layer of protection to your container registries.

Audit

To determine if ARM audience token authentication is disabled for your Microsoft Azure container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the resource navigation panel, select Overview, and click on the name (link) of the associated resource group, available next to Resource group, in the Essentials section.

07 In the navigation panel, under Settings, select Policies, and search for policy assigments with the following built-in definitions: Configure container registries to disable ARM audience token authentication and Container registries should have ARM audience token authentication disabled. If there are no policy assigments with the specified definitions, ARM audience token authentication is not disabled for the selected Microsoft Azure container registry.

08 Repeat steps no. 5 – 7 for each Azure container registry available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run acr list command (Windows/macOS/Linux) with custom output filters to describe the name of each Azure container registry available in the current subscription: 

az acr list
  --output table
  --query '[*].{name:name}'

05 The command output should return the requested container registry names: 

Name
-------------------------
Project5ContainerRegistry
DevAIContainerRegistry

06 Run acr config authentication-as-arm show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to describe the current configuration of the registry's policy for authentication using ARM tokens: 

az acr config authentication-as-arm show
  --registry Project5ContainerRegistry
  --query 'status'

07 The command output should return the status of the policy configured for authentication using ARM tokens: 

"enabled"

If the acr config authentication-as-arm show command output returns "enabled", as shown in the example above, ARM audience token authentication is not disabled for the selected Microsoft Azure container registry.

08 Repeat steps no. 6 and 7 for each Azure container registry available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable ARM audience token authentication for your Microsoft Azure container registries, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to configure.

06 In the resource navigation panel, select Overview, and click on the name (link) of the associated resource group, available next to Resource group, in the Essentials section.

07 In the navigation panel, under Settings, select Policies.

08 Choose Assign policy, and perform the following actions to create the first policy assigment required to disable ARM audience token authentication:

  1. For Basics, select the following built-in policy definition: Configure container registries to disable ARM audience token authentication for Policy definition, and set Policy enforcement to Enabled. Choose Next to continue the setup process.
  2. For Parameters, choose Next to continue the setup.
  3. For Remediation, check the Create a remediation task checkbox and choose Configure container registries to disable ARM audience token authentication for Policy to remediate. Choose Next to continue the setup.
  4. For Non-compliance messages, provide a short non-compliance message for the policy assigment. Non-compliance messages help users understand why their cloud resource is not compliant with the policy. Choose Next to continue.
  5. For Review + create, review the assigment details, then choose Create to create your new Azure policy assigment. This policy assigment offers remediation and updates non-compliant to compliant resources.

09 Repeat step no. 8 to create the second policy assigment. For Basics, select the following built-in policy definition: Container registries should have ARM audience token authentication disabled for Policy definition. Once the policy assigment is configured, choose Create to create the second Azure policy assigment required to disable ARM audience token authentication. This policy assigment will report and block any non-compliant cloud resources. It will also send a request to update non-compliant to compliant.

10 Repeat steps no. 5 - 9 for each Azure container registry that you want to configure, available within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run acr config authentication-as-arm update command (Windows/macOS/Linux) with the name of the Azure container registry that you want to configure as the identifier parameter, to disable ARM audience token authentication for the selected Microsoft Azure container registry. This will force the container registry to use ACR audience tokens: 

az acr config authentication-as-arm update
  --registry Project5ContainerRegistry
  --status disabled

05 The command output should return the status of the configured policy: 

{
	"status": "disabled"
}

06 Repeat steps no. 4 and 5 for each Azure container registry that you want to configure, available in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2024

Related ContainerRegistry rules