lacework-global-356
5.1.4 Minimize Container Registries to only those approved (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 2
Description
Containers in your cluster should use only container registries approved by your organization.
Rationale
Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.
Impact
All container images to be deployed to the cluster must be hosted within an approved container image registry.
Audit
Remediation
Update containers to use one of the following default allowed registries:
- docker.io
- ghcr.io
- Amazon ECR Public
- Amazon ECR Private
Alternatively, disable this policy and add a custom compliance policy to cover any additional registries approved by your organization. This can be done by copying the Query of this policy (Query ID: LW_Global_EKS_Config_PodWithNonstandardImageRegistry) and adding/adjusting the registry exclusions (commonly achieved using like
string pattern matching).