Checks whether Internet access is disabled for each Container Registry instance. If so, the evaluation result is Compliant.

Scenarios

This rule applies when you need to access Container Registry instances over the Internet. Network security cannot be ensured when you access Container Registry instances over the Internet. We recommend that you access Container Registry instances over virtual private clouds (VPCs).

Risk level

Default risk level: high.

When you configure this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If Internet access is disabled for each Container Registry instance, the evaluation result is Compliant.
  • If Internet access is enabled for a Container Registry instance, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

ItemDescription
Rule namecr-instance-public-access-check
Rule identifiercr-instance-public-access-check
TagCR and Repository
Automatic remediationNot supported
Trigger typePeriodic execution
Evaluation frequencyInterval of 24 hours
Supported resource typeContainer Registry instances
Input parameterNone

Incompliance remediation

Disable Internet access for a Container Registry instance. For more information, see Configure access over the Internet.