Container Registries Encrypted with Customer-Managed Keys

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the navigation panel, under Settings, select Encryption to access the encryption configuration settings available for the selected container registry. If the encryption settings are not available, instead the following message is displayed: Encryption using customer-managed key is not enabled for this registry. Click here to learn more., encryption at rest using Customer-Managed Keys (CMKs) is not enabled for the selected Microsoft Azure container registry.

07 Repeat steps no. 5 and 6 for each Azure container registry available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run acr list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure container registry available in the selected subscription:

az acr list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested container registry identifiers:

Name                        ResourceGroup
-------------------------   ------------------------------
Project5ContainerRegistry   cloud-shell-storage-westeurope
DevAIContainerRegistry      cloud-shell-storage-westeurope

06 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine if encryption at rest using Customer-Managed Keys is enabled for the selected registry:

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query 'encryption.status'

07 The command output should return the status of the CMK-based encryption, configured for the selected resource:

"disabled"

08 Repeat step no. 6 and 7 for each Azure container registry available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new user-assigned managed identity:

1. For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your cloud resources are deployed. Choose Next to continue the setup process.
2. For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
3. For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

05 Navigate to Key vaults blade available at https://portal.azure.com/#browse/Microsoft.KeyVault%2Fvaults.

06 Choose Create and perform the following actions to create the Azure key vault that will store your new Customer-Managed Key (CMK):

1. For Basics, choose the correct Azure subscription and resource group, provide a unique name for the new key vault, then select the Azure cloud region where the vault will be deployed and the appropriate pricing tier. Configure the vault retention period and enable purge protection. Both soft delete and purge protection must be enabled on the key vault. Choose Next to continue the setup process.
2. For Access configuration, select Vault access policy for Permission model, choose Create under Access policies, and follow the setup wizard to create the policy that allows Azure Kubernetes Service to create, get, recover, wrap, and unwrap encryption keys from the new vault. For the policy principal, choose the user-assigned managed identity created at step no. 4. Once the access policy is configured, choose Create to create and attach it to the key vault. Configure the Azure resource access under Resource access. Choose Next to continue the setup.
3. For Networking, configure the network access control for the new key vault. You can connect to your new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue.
4. For Tags, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Review + create to validate the key vault setup.
5. For Review + create, review the resource configuration details, then choose Create to create your new Azure key vault.

07 Once the deployment is complete, choose Go to resource to access your new Microsoft Azure key vault.

08 In the resource navigation panel, under Objets, select Keys, then choose Generate/Import to create the Customer-Managed Key required for AKS cluster disks encryption.

09 On the Create a key setup page, provide a unique name for the encryption key in the Name box, set Key type to RSA, RSA key size to 2048, choose an activation and/or expiration date, set the Enabled flag to Yes, then choose Create to generate your new Customer-Managed Key (CMK).

10 Once your new Customer-Managed Key is available, navigate to Container registries blade at https://portal.azure.com/#browse/Microsoft.ContainerRegistry%2Fregistries, choose Create, and perform the following actions to deploy your new container registry:

1. For Basics, provide a name for the new container registry, select the appropriate Azure subscription and resource group, choose the location (region) where the registry will be deployed, set the pricing plan to Premium, and choose whether to use multiple Availability Zones (AZs) for high availability. Choose Next: Networking > to continue the setup process.
2. For Networking, select Private access (Recommended) next to Connectivity configuration to make your new container registry private. Choose Create a private endpoint connection and follow the setup wizard to deploy a private endpoint for your registry. Choose Next: Encryption to continue the setup.
3. For Encryption, perform the following actions to enable encryption at rest using Customer-Managed Keys (CMKs):
   1. For Customer-Managed Key, choose Enabled.
   2. For Subscription and Identity, choose the user-assigned managed identity created at step no. 4 and the associated subscription.
   3. For Encryption, choose Select from Key Vault.
   4. For Encryption key, choose Select from Key Vault, and choose the Azure key vault and Customer-Managed Key (CMK) created earlier in the Remediation process.
   5. Choose Next to continue the setup.
4. For Tags, create the necessary tags and choose Next: Review + create > to validate the configuration information provided during setup.
5. For Review + create, review the resource configuration details, then choose Create to deploy your new, CMK-encrypted container registry.

11 Repeat step no. 10 for each Azure container registry that you want to encrypt with a Customer-Managed Key (CMK), available in the selected subscription.

12 Repeat steps no. 2 – 11 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run identity create command (OSX/Linux/UNIX) to create a new user-assigned managed identity for your registry, required to access the Azure key vault:

az identity create
  --name cc-project5-user-identity
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --query '{id:id,principalId:principalId}'

05 The command output should return the resource ID and the principal ID of the new user-assigned managed identity:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-user-identity",
	"principalId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

06 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure key vault where the required Customer-Managed Key (CMK) will be placed. Both soft delete and purge protection must be enabled on the new key vault:

az keyvault create
  --name tm-project5-key-vault
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --enable-rbac-authorization false
  --enabled-for-deployment true
  --enabled-for-template-deployment true
  --enable-purge-protection true

07 The command output should return the configuration information available for the new Azure key vault:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/tm-project5-vault",
	"location": "westeurope",
	"name": "tm-project5-vault",
	"properties": {
		"accessPolicies": [
		{
			"applicationId": null,
			"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
			"permissions": {
				"certificates": [
					"all"
				],
				"keys": [
					"all"
				],
				"secrets": [
					"all"
				],
				"storage": [
					"all"
				]
			},
			"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
		}
		],
		"createMode": null,
		"enablePurgeProtection": true,
		"enableRbacAuthorization": false,
		"enableSoftDelete": true,
		"enabledForDeployment": true,
		"enabledForDiskEncryption": null,
		"enabledForTemplateDeployment": true,
		"hsmPoolResourceId": null,
		"networkAcls": null,
		"privateEndpointConnections": null,
		"provisioningState": "Succeeded",
		"publicNetworkAccess": "Enabled",
		"sku": {
			"family": "A",
			"name": "standard"
		},
		"softDeleteRetentionInDays": 30,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"vaultUri": "https://tm-project5-vault.vault.azure.net/"
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2024-10-10T17:04:00.983000+00:00",
		"createdBy": "",
		"createdByType": "User",
		"lastModifiedAt": "2024-10-10T17:04:00.983000+00:00",
		"lastModifiedBy": "",
		"lastModifiedByType": "User"
	},
	"tags": {},
	"type": "Microsoft.KeyVault/vaults"
}

08 Run keyvault set-policy command (Windows/macOS/Linux) to assign the right permissions to your new Azure key vault. For the --object-id parameter, use "principalId" value returned at step no. 5:

az keyvault set-policy
  --name tm-project5-key-vault
  --object-id abcdabcd-abcd-abcd-abcd-abcdabcdabcd
  --key-permissions create get recover unwrapKey wrapKey
  --query 'properties.accessPolicies'

09 The command output should return the modified key vault configuration information:

[
	{
		"applicationId": null,
		"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
		"permissions": {
			"certificates": [
				"all"
			],
			"keys": [
				"recover",
				"unwrapKey",
				"get",
				"create",
				"wrapKey"
			],
			"secrets": [
				"all"
			],
			"storage": [
				"all"
			]
		},
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	}
]

10 Run keyvault key create command (Windows/macOS/Linux) to create the Customer-Managed Key (CMK) necessary to encrypt data for your Azure container registry:

az keyvault key create
  --name tm-project5-aks-key
  --vault-name tm-project5-key-vault
  --kty RSA
  --size 2048
  --ops decrypt encrypt sign unwrapKey verify wrapKey
  --protection software
  --disabled false
  --query 'key.kid'

11 The command output should return the URL of the new Customer-Managed Key:

"https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-aks-key/abcd1234abcd1234abcd1234abcd1234"

12 Run acr create command (OSX/Linux/UNIX) to deploy a new Microsoft Azure container registry in the selected subscription. Include the --identity and --key-encryption-key parameters to specify the user-assigned managed identity and Customer-Managed Key (CMK) created erlier in the Remediation process. This will enable CMK-based encryption for your new container registry:

az acr create
  --name newproject5registry
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --sku Premium
  --identity "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-user-identity"
  --key-encryption-key "https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-aks-key/abcd1234abcd1234abcd1234abcd1234"

13 The command output should return the information available for the new Azure container registry:

{
	"adminUserEnabled": false,
	"anonymousPullEnabled": false,
	"creationDate": "2024-10-16T18:15:35.927859+00:00",
	"dataEndpointEnabled": false,
	"dataEndpointHostNames": [],
	"encryption": {
		"keyVaultProperties": {
			"identity": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
			"keyIdentifier": "https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-aks-key/abcd1234abcd1234abcd1234abcd1234",
			"keyRotationEnabled": false,
			"lastKeyRotationTimestamp": null,
			"versionedKeyIdentifier": "https://tm-project5-key-vault.vault.azure.net/keys/tm-project5-aks-key/abcd1234abcd1234abcd1234abcd1234"
		},
		"status": "enabled"
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/newproject5registry",
	"identity": {
		"principalId": null,
		"tenantId": null,
		"type": "userAssigned",
		"userAssignedIdentities": {
			"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-user-identity": {
				"clientId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
				"principalId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
			}
		}
	},
	"location": "westeurope",
	"loginServer": "newproject5registry.azurecr.io",
	"metadataSearch": "Disabled",
	"name": "newproject5registry",
	"networkRuleBypassOptions": "AzureServices",
	"networkRuleSet": {
		"defaultAction": "Allow",
		"ipRules": []
	},
	"policies": {
		"azureAdAuthenticationAsArmPolicy": {
			"status": "enabled"
		},
		"exportPolicy": {
			"status": "enabled"
		},
		"quarantinePolicy": {
			"status": "disabled"
		},
		"retentionPolicy": {
			"days": 7,
			"lastUpdatedTime": "2024-10-16T18:15:42.574649+00:00",
			"status": "disabled"
		},
		"softDeletePolicy": {
			"lastUpdatedTime": "2024-10-16T18:15:42.574703+00:00",
			"retentionDays": 7,
			"status": "disabled"
		},
		"trustPolicy": {
			"status": "disabled",
			"type": "Notary"
		}
	},
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium",
		"tier": "Premium"
	},
	"status": null,
	"systemData": {
		"createdAt": "2024-10-16T18:15:35.927859+00:00",
		"createdBy": "admin@domain.com",
		"createdByType": "User",
		"lastModifiedAt": "2024-10-16T18:15:35.927859+00:00",
		"lastModifiedBy": "admin@domain.com",
		"lastModifiedByType": "User"
	},
	"tags": {},
	"type": "Microsoft.ContainerRegistry/registries",
	"zoneRedundancy": "Disabled"
}

14 Repeat steps no. 12 and 13 for each Azure container registry that you want to encrypt with a Customer-Managed Key (CMK), available in the selected subscription.

15 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.