Skip to main content

lacework-global-356

5.1.4 Minimize Container Registries to only those approved (Automated)

note

This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 2

Description

Containers in your cluster should use only container registries approved by your organization.

Rationale

Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.

Impact

All container images to be deployed to the cluster must be hosted within an approved container image registry.

Audit

Remediation

Update containers to use one of the following default allowed registries:

  • docker.io
  • ghcr.io
  • Amazon ECR Public
  • Amazon ECR Private

Alternatively, disable this policy and add a custom compliance policy to cover any additional registries approved by your organization. This can be done by copying the Query of this policy (Query ID: LW_Global_EKS_Config_PodWithNonstandardImageRegistry) and adding/adjusting the registry exclusions (commonly achieved using like string pattern matching).

References