lacework-global-356

5.1.4 Minimize Container Registries to only those approved (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 2

Description

Containers in your cluster should use only container registries approved by your organization.

Rationale

Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.

Impact

All container images to be deployed to the cluster must be hosted within an approved container image registry.

Audit

Remediation

Update containers to use one of the following default allowed registries:

docker.io
ghcr.io
Amazon Elastic Container Registry (ECR) Public
Amazon ECR Private

Alternatively, add a compliance policy exception in the Lacework console to cover any additional registries approved by your organization.

References

https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
https://docs.lacework.com/console/manage-compliance-policy-exceptions

5.1.4 Minimize Container Registries to only those approved (Automated)​

Profile Applicability​

Description​

Rationale​

Impact​

Audit​

Remediation​

References​