Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Policy is a service in Azure that you use to create, assign, and manage policy definitions. These policy definitions enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
This article describes how to audit compliance by using Azure Policy built-in policy definitions for Azure Container Registry. Use these definitions to audit new and existing registries for compliance.
There is no charge for using Azure Policy.
Create container registry policy assignments
Create policy assignments by using the Azure portal, Azure CLI, a Resource Manager template, or the Azure Policy SDKs. Enable or disable policy enforcement at any time.
You can scope a policy assignment to a resource group, a subscription, or an Azure management group. Container registry policy assignments apply to existing and new container registries within the scope.
Note
After you create or update a policy assignment, it takes some time for the assignment to evaluate resources in the defined scope. For more information, see policy evaluation triggers.
Review container registry policy compliance
Access compliance information generated by your policy assignments using the Azure portal, Azure command-line tools, or the Azure Policy SDKs. For more information, see Get compliance data of Azure resources.
There are many possible reasons why a resource could be non-compliant. To determine the reason or to find the change responsible, see Determine non-compliance.
Review policy compliance in the Azure portal
- In the Azure portal, search for Policy.
- Select Compliance.
- Use the filters to limit compliance states or to search for policies
- Select a policy to review aggregate compliance details and events. If desired, then select a specific registry for resource compliance.
Review policy compliance by using the Azure CLI
You can also use the Azure CLI to get compliance data. For example, use the az policy assignment list command in the CLI to get the policy IDs of the Azure Container Registry policies that are applied:
az policy assignment list --query "[?contains(displayName,'Container Registries')].{name:displayName, ID:id}" --output table
Sample output:
Name ID
------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------
Container Registries should not allow unrestricted network access /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/b4faf132dc344b84ba68a441
Container Registries should be encrypted with a Customer-Managed Key (CMK) /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/cce1ed4f38a147ad994ab60a
Run az policy state list to return the JSON-formatted compliance state for all resources under a specific policy ID:
az policy state list \
--resource <policyID>
Or run az policy state list to return the JSON-formatted compliance state of a specific registry resource, such as myregistry:
az policy state list \
--resource myregistry \
--namespace Microsoft.ContainerRegistry \
--resource-type registries \
--resource-group myresourcegroup
Next steps
- Review the Azure Policy built-in policy definitions for Azure Container Registry.
- Learn more about Azure Policy definitions and effects.
- Create a custom policy definition.
- Learn more about governance capabilities in Azure.