Security Risks Identified in Azure Reader Role for ACR
/ 1 min read
🛡️🖼️ Azure Container Registry’s Reader Role Poses Security Risks. A recent security review revealed that users granted the Azure Reader role at the subscription level can download container images from Azure Container Registry (ACR), potentially exposing sensitive data. This behavior, while documented, highlights a significant oversight in Azure’s permission model, where the default AcrPull permission allows unintended access to confidential information within container images. The article emphasizes the need for organizations to limit role assignments, avoid embedding sensitive data in images, and consider using more granular access controls. It also calls for Microsoft to revise the default permission model to enhance security by separating control and data plane permissions, similar to Azure Key Vault’s approach.
