Skip to content

Commit 1d1071e

Browse files
committed
Add link to ACG best practices
1 parent 3641663 commit 1d1071e

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

articles/virtual-machines/image-builder-best-practices.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,5 @@ This article describes best practices to be followed while using Azure VM Image
2424
- **Image Template**: A principal that has access to your image template is able to run, delete, or tamper with it. Having this access, in turn, allows the principal to change the images created by that image template.
2525
- **Staging Resource Group**: AIB uses a staging resource group in your subscription to customize your VM image. You must consider this resource group as sensitive and restrict access to this resource group only to required principals. Since the process of customizing your image takes place in this resource group, a principal with access to the resource group is able to compromise the image building process - for example, by injecting malware into the image. AIB also delegates privileges associated with the Template identity and Build VM identity to resources in this resource group. Hence, a principal with access to the resource group is able to get access to these identities. Further, AIB maintains a copy of your customizer artifacts in this resource group. Hence, a principal with access to the resource group is able to inspect these copies.
2626
- **Template Identity**: A principal with access to your template identity is able to access all resources that the identity has permissions for. This includes your customizer artifacts (for example, shell and PowerShell scripts), your distribution targets (for example, an Azure Compute Gallery image version), and your Virtual Network. Hence, you must provide only the minimum required privileges to this identity.
27-
- **Build VM Identity**: A principal with access to your build VM identity is able to access all resources that the identity has permissions for. This includes any artifacts and Virtual Network that you might be using from within the Build VM using this identity. Hence, you must provide only the minimum required privileges to this identity.
27+
- **Build VM Identity**: A principal with access to your build VM identity is able to access all resources that the identity has permissions for. This includes any artifacts and Virtual Network that you might be using from within the Build VM using this identity. Hence, you must provide only the minimum required privileges to this identity.
28+
- If you're distributing to Azure Compute Gallery (ACG), then also follow [best practices for ACG resources](azure-compute-gallery.md#best-practices).

0 commit comments

Comments
 (0)