API 管理的安全控制Security controls for API Management

本文介绍了 API 管理中内置的安全控制。This article documents the security controls built into API Management.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务终结点支持Service endpoint support No
VNet 注入支持VNet injection support Yes
网络隔离和防火墙支持Network isolation and firewalling support Yes 分别使用网络安全组 (NSG) 和 Azure 应用程序网关(或其他软件设备)。Using networking security groups (NSG) and Azure Application Gateway (or other software appliance) respectively.
强制隧道支持Forced tunneling support Yes Azure 网络支持强制隧道。Azure networking provides forced tunneling.

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes
控制和管理平面日志记录和审核Control and management plane logging and audit Yes Azure Monitor 活动日志Azure Monitor activity logs
数据平面日志记录和审核Data plane logging and audit Yes Azure Monitor 诊断日志和(可选)Azure Application InsightsAzure Monitor diagnostic logs and (optionally) Azure Application Insights.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
身份验证Authentication Yes
授权Authorization Yes

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务器端静态加密:Microsoft 管理的密钥Server-side encryption at rest: Microsoft-managed keys Yes 敏感数据(例如证书、密钥以及使用机密命名的值)使用服务托管的、基于服务实例的密钥进行加密。Sensitive data such as certificates, keys, and secret-named values are encrypted with service-managed, per service instance keys.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) No 所有加密密钥都是基于服务实例的,也是通过服务托管的。All encryption keys are per service instance and are service managed.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 不适用N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes 快速路由和 VNet 加密由 Azure 网络提供。Express Route and VNet encryption is provided by Azure networking.
加密的 API 调用API calls encrypted Yes 通过 Azure 资源管理器经 TLS 进行管理平面调用。Management plane calls are made through Azure Resource Manager over TLS. 需要有效 JSON web 令牌 (JWT)。A valid JSON web token (JWT) is required. 可以通过 TLS 以及某个受支持的身份验证机制(例如,客户端证书或 JWT)对数据平面调用进行保护。Data plane calls can be secured with TLS and one of supported authentication mechanisms (for example, client certificate or JWT).

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 使用 Azure API 管理 DevOps 资源工具包Using the Azure API Management DevOps Resource Kit

漏洞扫描误报Vulnerability scans false positives

此部分记录不影响 Azure API 管理的常见漏洞。This section documents common vulnerabilities that do not affect Azure API Management.

漏洞Vulnerability 说明Description
Ticketbleed (CVE-2016-9244)Ticketbleed (CVE-2016-9244) Ticketbleed 是在实现 TLS SessionTicket 扩展过程中出现的漏洞,在某些 F5 产品中发现。Ticketbleed is vulnerability in the implementation of the TLS SessionTicket extension found in some F5 products. 该漏洞会导致从取消初始化的内存中泄露(“溢出”)最多 31 字节的数据。It allows the leakage ("bleeding") of up to 31 bytes of data from uninitialized memory. 这是由 TLS 堆栈导致的,该堆栈填充了会话 ID,从客户端传递,在带有数据的情况下有 32 位长。This is caused by the TLS stack padding a Session ID, passed from the client, with data to make it 32 bits long.