diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/metadata.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/metadata.json
new file mode 100644
index 00000000000..9f68ca54016
--- /dev/null
+++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/metadata.json
@@ -0,0 +1,14 @@
+{
+  "id": "77deea6a-155e-4865-bf04-153d23e488e8",
+  "queryName": "Beta - Azure Container Registry With Broad Permissions",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "Azure Container Registry resources should only have 'read' permissions",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry",
+  "platform": "Terraform",
+  "descriptionID": "77deea6a",
+  "cloudProvider": "azure",
+  "cwe": "732",
+  "riskScore": "6.0",
+  "experimental": "true"
+}
diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/query.rego b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/query.rego
new file mode 100644
index 00000000000..eadc8eec5e6
--- /dev/null
+++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/query.rego
@@ -0,0 +1,41 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_role_assignment[name]
+
+	contains(resource.scope, "azurerm_container_registry.")
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_role_assignment",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_role_assignment[%s].%s", [name, results.target_resource]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_role_assignment[%s].%s' should be set to '%s'", [name,  results.target_resource, results.expected]),
+		"keyActualValue": sprintf("'azurerm_role_assignment[%s].%s' is set to '%s'", [name, results.target_resource, results.actual]),
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name) = results {
+	common_lib.valid_key(resource, "role_definition_name")
+	resource.role_definition_name != "AcrPull"
+	results := {
+		"target_resource" : "role_definition_name",
+		"expected" : "AcrPull",
+		"actual" : resource.role_definition_name,
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_role_assignment", name, "role_definition_name"], [])
+	}
+} else = results {
+	resource.role_definition_id != "7f951dda-4ed3-4680-a7ca-43fe172d538d"
+	results := {
+		"target_resource" : "role_definition_id",
+		"expected" : "7f951dda-4ed3-4680-a7ca-43fe172d538d",
+		"actual" : resource.role_definition_id,
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_role_assignment", name, "role_definition_id"], [])
+	}
+}
diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/negative.tf b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/negative.tf
new file mode 100644
index 00000000000..c26f2142c76
--- /dev/null
+++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/negative.tf
@@ -0,0 +1,19 @@
+resource "azurerm_container_registry" "sample" {
+  name                = "exampleacr123"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  sku                 = "Basic"
+  admin_enabled       = false
+}
+
+resource "azurerm_role_assignment" "negative1" {
+  principal_id         = azurerm_kubernetes_cluster.sample.object_id
+  role_definition_name = "AcrPull"
+  scope                = azurerm_container_registry.sample.id
+}
+
+resource "azurerm_role_assignment" "negative2" {
+  principal_id         = azurerm_kubernetes_cluster.sample.object_id
+  role_definition_id   = "7f951dda-4ed3-4680-a7ca-43fe172d538d"         # id for ArcPull
+  scope                = azurerm_container_registry.sample.id
+}
diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive.tf b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive.tf
new file mode 100644
index 00000000000..1e47ca4d38d
--- /dev/null
+++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive.tf
@@ -0,0 +1,19 @@
+resource "azurerm_container_registry" "sample" {
+  name                = "exampleacr123"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  sku                 = "Basic"
+  admin_enabled       = false
+}
+
+resource "azurerm_role_assignment" "positive1" {
+  principal_id         = azurerm_kubernetes_cluster.sample.object_id
+  role_definition_name = "AcrPush"
+  scope                = azurerm_container_registry.sample.id
+}
+
+resource "azurerm_role_assignment" "positive2" {
+  principal_id         = azurerm_kubernetes_cluster.sample.object_id
+  role_definition_id   = "8311e382-0749-4cb8-b61a-304f252e45ec"         # id for AcrPush
+  scope                = azurerm_container_registry.sample.id
+}
diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json
new file mode 100644
index 00000000000..a55c056c993
--- /dev/null
+++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json
@@ -0,0 +1,12 @@
+[
+  {
+    "queryName": "Beta - Azure Container Registry With Broad Permissions",
+    "severity": "HIGH",
+    "line": 11
+  },
+  {
+    "queryName": "Beta - Azure Container Registry With Broad Permissions",
+    "severity": "HIGH",
+    "line": 17
+  }
+]
diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml
index 18d7efec018..8175e3f8838 100644
--- a/assets/similarityID_transition/terraform_azure.yaml
+++ b/assets/similarityID_transition/terraform_azure.yaml
@@ -15,3 +15,7 @@ similarityIDChangeList:
       queryName: Beta - Databricks Workspace Using Default Virtual Network
       observations: ""
       change: 2
+    - queryId: 77deea6a-155e-4865-bf04-153d23e488e8
+      queryName: Beta - Azure Container Registry With Broad Permissions
+      observations: ""
+      change: 2