Control: 2.12 Ensure that authorization for Docker client commands is enabled


You should use native Docker authorization plugins or a third party authorization mechanism with the Docker daemon to manage access to Docker client commands.

Docker’s out-of-the-box authorization model is currently "all or nothing". This means that any user with permission to access the Docker daemon can run any Docker client command. The same is true for remote users accessing Docker’s API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to the Docker daemon.

Third party integrations of Docker may implement their own authorization models to require authorization with the Docker daemon outside of docker's native authorization plugin (i.e. Kubernetes, Cloud Foundry, Openshift).


Step 1: Install/Create an authorization plugin. Step 2: Configure the authorization policy as desired. Step 3: Start the docker daemon as below:

dockerd --authorization-plugin=<PLUGIN_ID>

Default Value

By default, authorization plugins are not set up.


Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_12 --share


This control uses a named query: