Fixed some links

Author: memildin

includes/asc-recs-container.md

@@ -13,7 +13,7 @@ There are **27** recommendations in this category.
 |---|---|---|
 |[\[Enable if required\] Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/af560c4d-9c05-e073-b9f1-f7a94958ff25) |Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements. <br> To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in <a target="_blank" href="/azure/defender-for-cloud/tutorial-security-policy?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Manage security policies</a>.<br>Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.<br />(Related policy: [Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580)) |Low |
 |[Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0642d770-b189-42ef-a2ce-9dcc3ec6c169) |Azure Policy extension for Kubernetes extends <a target="_blank" href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<br />(No related policy) |High |
-|[Azure Arc-enabled Kubernetes clusters should have the Defender extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6) |Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.<br />(No related policy) |High |
+|[Azure Arc-enabled Kubernetes clusters should have the Defender extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6) |Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. <a target="_blank" href="azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation"> Learn more</a>.<br />(No related policy) |High |
 |[Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/08e628db-e2ed-4793-bc91-d13e684401c3) |Azure Policy add-on for Kubernetes extends <a target="_blank" href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<p>Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. <a target="_blank" href="/azure/governance/policy/concepts/policy-for-kubernetes"> Learn more</a>.</p><p>Requires Kubernetes v1.14.0 or later.</p><br />(Related policy: [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f0a15ec92-a229-4763-bb14-0ea34a568f8d)) |High |
 |[Container CPU and memory limits should be enforced](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/405c9ae6-49f9-46c4-8873-a86690f27818) |Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).<p>We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.</p><br />(Related policy: [Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fe345eecc-fa47-480f-9e88-67dcc122b164)) |Medium |
 |[Container images should be deployed from trusted registries only](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/8d244d29-fa00-4332-b935-c3a51d525417) |Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.<br />(Related policy: [Ensure only allowed container images in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2ffebd0533-8e55-448f-b837-bd0e06f16469)) |High |