lacework-global-356
5.1.4 Minimize Container Registries to only those approved (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 2
Description
Containers in your cluster should use only container registries approved by your organization.
Rationale
Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.
Impact
All container images to be deployed to the cluster must be hosted within an approved container image registry.
Audit
Remediation
Update containers to use one of the following default allowed registries:
- docker.io
- ghcr.io
- Amazon Elastic Container Registry (ECR) Public
- Amazon ECR Private
Alternatively, add a compliance policy exception in the Lacework console to cover any additional registries approved by your organization.