Azure Kubernetes Service (AKS) 的 Azure Policy 法规遵从性控制措施Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS)

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控制措施”提供 Azure 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出 Azure Kubernetes Service (AKS) 的“符合域”和“安全控制措施” 。This page lists the compliance domains and security controls for Azure Kubernetes Service (AKS). 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准Azure Security Benchmark

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 1.0.1-preview1.0.1-preview
数据保护Data Protection 4.64.6 使用 Azure RBAC 控制对资源的访问Use Azure RBAC to control access to resources 应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 1.0.1-preview1.0.1-preview
漏洞管理Vulnerability Management 5.35.3 部署第三方软件修补程序自动化管理解决方案Deploy automated third-party software patch management solution Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 1.0.1-preview1.0.1-preview
安全配置Secure Configuration 7.37.3 维护安全的 Azure 资源配置Maintain secure Azure resource configurations [预览]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 1.0.0-preview1.0.0-preview
安全配置Secure Configuration 7.97.9 针对 Azure 服务实现自动化配置监视Implement automated configuration monitoring for Azure services [预览]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 1.0.0-preview1.0.0-preview

CIS Azure 基础基准检验CIS Azure Foundations Benchmark

有关此符合性标准的详细信息,请参阅 CIS Azure 基础基准检验For more information about this compliance standard, see CIS Azure Foundations Benchmark.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
其他安全注意事项Other Security Considerations 8.58.5 在 Azure Kubernetes 服务中启用基于角色的访问控制 (RBAC)Enable role-based access control (RBAC) within Azure Kubernetes Services 应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 1.0.1-preview1.0.1-preview

NIST SP 800-171 R2NIST SP 800-171 R2

有关此符合性标准的详细信息,请参阅 NIST SP 800-171 R2For more information about this compliance standard, see NIST SP 800-171 R2.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
系统和信息完整性System and Information Integrity 3.14.13.14.1 及时识别、报告和更正系统缺陷。Identify, report, and correct system flaws in a timely manner. Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 1.0.1-preview1.0.1-preview

后续步骤Next steps