feat(query): implements "Beta - Azure Container Registry With Broad Permissions"

[cx-andre-pereira]

Reason for Proposed Changes

• Currently there is no query to ensure that resources of type "azurerm_role_assignment" that target a "azurerm_container_registry" resource in their "scope" field are restricted to read permissions.

• Quoting CIS_Azure_Kubernetes_Service_(AKS)_Benchmark_V1.8.0 page 119: "5.1.3 Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual) ... The Cluster Service Account does not require administrative access to Azure ACR, only requiring pull access to containers to deploy onto Azure AKS. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role".

Proposed Changes

• Implemented the missing query.

• The query will flag a given "azurerm_role_assignment" resource if it sets a "scope" field to a value containing "azurerm_container_registry." and sets either :

  • "role_definition_name" to a value that is not "AcrPull"
  • "role_definition_id" to a value that is not "7f951dda-4ed3-4680-a7ca-43fe172d538d"

• These values were based on official documentation proving "AcrPull" allows target resource to "Pull artifacts from a container registry.", that is to say it guarantees read permissions.

• NOTE this implementation might be incomplete, the CIS entry is very sparse on possible implementation details but it does reference this documentation, this plus the title of the entry were my main leads to figure out that the "azurerm_role_assignment" and "azurerm_container_registry" would be a major part of the implementation but relevant checks could be missing.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0