Azure Monitor 中的角色、权限和安全性Roles, permissions, and security in Azure Monitor

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

很多团队需要严格控制对监视数据和设置的访问。Many teams need to strictly regulate access to monitoring data and settings. 例如,如果有专门负责监视的团队成员(支持工程师、DevOps 工程师),或者使用托管服务提供程序,则可能希望向他们授予仅访问监视数据的权限,同时限制其创建、修改或删除资源的能力。For example, if you have team members who work exclusively on monitoring (support engineers, DevOps engineers) or if you use a managed service provider, you may want to grant them access to only monitoring data while restricting their ability to create, modify, or delete resources. 本文说明如何在 Azure 中快速将内置监视 Azure 角色应用到用户,或针对需要有限监视权限的用户构建自己的自定义角色。This article shows how to quickly apply a built-in monitoring Azure role to a user in Azure or build your own custom role for a user who needs limited monitoring permissions. 然后讨论与 Azure Monitor 相关资源的安全注意事项,以及如何限制对它们所含数据的访问。It then discusses security considerations for your Azure Monitor-related resources and how you can limit access to the data they contain.

内置监视角色Built-in monitoring roles

Azure Monitor 的内置角色设计为帮助限制对订阅中资源的访问,同时使负责监视基础结构的用户能够获取并配置他们需要的数据。Azure Monitor’s built-in roles are designed to help limit access to resources in a subscription while still enabling those responsible for monitoring infrastructure to obtain and configure the data they need. Azure Monitor 提供了两个现成的角色:监视查阅者和监视参与者。Azure Monitor provides two out-of-the-box roles: A Monitoring Reader and a Monitoring Contributor.

监视查阅者Monitoring Reader

分配了监视查阅者角色的人员可以查看订阅中的所有监视数据,但不能修改任何资源或编辑与监视资源相关的任何设置。People assigned the Monitoring Reader role can view all monitoring data in a subscription but cannot modify any resource or edit any settings related to monitoring resources. 此角色适用于组织中的用户,如支持人员或操作工程师,他们需要能够:This role is appropriate for users in an organization, such as support or operations engineers, who need to be able to:

  • 在门户中查看监视仪表板和创建自己专用的监视仪表板。View monitoring dashboards in the portal and create their own private monitoring dashboards.
  • 查看 Azure 警报中定义的预警规则View alert rules defined in Azure Alerts
  • 使用 Azure Monitor REST APIPowerShell cmdlet跨平台 CLI 查询指标。Query for metrics using the Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 使用门户、Azure Monitor REST API、PowerShell cmdlet 或跨平台 CLI 查询活动日志。Query the Activity Log using the portal, Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 查看资源的诊断设置View the diagnostic settings for a resource.
  • 查看订阅的日志配置文件View the log profile for a subscription.
  • 查看自动调整规模设置。View autoscale settings.
  • 查看警报活动和设置。View alert activity and settings.
  • 访问 Application Insights 数据和在 AI Analytics 中查看数据。Access Application Insights data and view data in AI Analytics.
  • 搜索 Log Analytics 工作区数据(包括工作区的使用情况数据)。Search Log Analytics workspace data including usage data for the workspace.
  • 查看 Log Analytics 管理组。View Log Analytics management groups.
  • 在 Log Analytics 工作区中检索搜索架构。Retrieve the search schema in Log Analytics workspace.
  • 列出 Log Analytics 工作区中的监视包。List monitoring packs in Log Analytics workspace.
  • 检索并执行 Log Analytics 工作区中保存的搜索。Retrieve and execute saved searches in Log Analytics workspace.
  • 检索 Log Analytics 工作区存储配置。Retrieve the Log Analytics workspace storage configuration.

备注

此角色不授予已传输到事件中心或存储在存储帐户的日志数据的读取访问权限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 有关配置这些资源的访问权限的信息,请参阅下面章节See below for information on configuring access to these resources.

监视参与者Monitoring Contributor

分配了监视参与者角色的人员可以查看订阅中的所有监视数据和创建或修改监视设置,但不能修改任何其他资源。People assigned the Monitoring Contributor role can view all monitoring data in a subscription and create or modify monitoring settings, but cannot modify any other resources. 此角色是监视查阅者角色的一个超集,适用于组织的监视团队成员或托管服务提供商,除了上述权限外,他们还需要能够:This role is a superset of the Monitoring Reader role, and is appropriate for members of an organization’s monitoring team or managed service providers who, in addition to the permissions above, also need to be able to:

  • 将监视仪表板发布为共享仪表板。Publish monitoring dashboards as a shared dashboard.
  • 设置资源的诊断设置。*Set diagnostic settings for a resource.*
  • 设置订阅的日志配置文件。*Set the log profile for a subscription.*
  • 通过 Azure 警报设置预警规则活动和设置。Set alert rules activity and settings via Azure Alerts.
  • 创建 Application Insights Web 测试和组件。Create Application Insights web tests and components.
  • 列出 Log Analytics 工作区的共享密钥。List Log Analytics workspace shared keys.
  • 启用或禁用 Log Analytics 工作区中的监视包。Enable or disable monitoring packs in Log Analytics workspace.
  • 创建、删除和执行 Log Analytics 工作区中保存的搜索。Create and delete and execute saved searches in Log Analytics workspace.
  • 创建和删除 Log Analytics 工作区存储配置。Create and delete the Log Analytics workspace storage configuration.

*用户还必须分别被授予目标资源(存储帐户或事件中心命名空间)的 ListKeys 权限,才能设置日志配置文件或诊断设置。*user must also separately be granted ListKeys permission on the target resource (storage account or event hub namespace) to set a log profile or diagnostic setting.

备注

此角色不授予已传输到事件中心或存储在存储帐户的日志数据的读取访问权限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 有关配置这些资源的访问权限的信息,请参阅下面章节See below for information on configuring access to these resources.

监视权限和 Azure 自定义角色Monitoring permissions and Azure custom roles

如果上述内置角色不能满足团队的确切需求,则可以创建具有更精细权限的 Azure 自定义的角色If the above built-in roles don’t meet the exact needs of your team, you can create an Azure custom role with more granular permissions. 以下是常见的 Azure Monitor RBAC 操作及其说明。Below are the common Azure Monitor RBAC operations with their descriptions.

OperationOperation 说明Description
Microsoft.Insights/ActionGroups/[Read, Write, Delete]Microsoft.Insights/ActionGroups/[Read, Write, Delete] 读取/写入/删除操作组。Read/write/delete action groups.
Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete]Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete] 读取/写入/删除活动日志警报。Read/write/delete activity log alerts.
Microsoft.Insights/AlertRules/[Read, Write, Delete]Microsoft.Insights/AlertRules/[Read, Write, Delete] (从经典警报)读取/写入/删除警报规则。Read/write/delete alert rules (from alerts classic).
Microsoft.Insights/AlertRules/Incidents/ReadMicrosoft.Insights/AlertRules/Incidents/Read 列出警报规则的事件(触发警报规则的历史记录)。List incidents (history of the alert rule being triggered) for alert rules. 仅适用于门户。This only applies to the portal.
Microsoft.Insights/AutoscaleSettings/[Read, Write, Delete]Microsoft.Insights/AutoscaleSettings/[Read, Write, Delete] 读取/写入/删除自动调整规模设置。Read/write/delete autoscale settings.
Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete]Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete] 读取/写入/删除诊断设置。Read/write/delete diagnostic settings.
Microsoft.Insights/EventCategories/ReadMicrosoft.Insights/EventCategories/Read 枚举活动日志中所有可能的类别。Enumerate all categories possible in the Activity Log. 由 Azure 门户使用。Used by the Azure portal.
Microsoft.Insights/eventtypes/digestevents/ReadMicrosoft.Insights/eventtypes/digestevents/Read 此权限对于需要通过门户访问活动日志的用户是必需的。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/eventtypes/values/ReadMicrosoft.Insights/eventtypes/values/Read 列出订阅中的活动日志事件(管理事件)。List Activity Log events (management events) in a subscription. 此权限适用于对活动日志的编程和门户访问。This permission is applicable to both programmatic and portal access to the Activity Log.
Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete]Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete] 读取/写入/删除网络流日志的诊断设置。Read/write/delete diagnostic settings for network flow logs.
Microsoft.Insights/LogDefinitions/ReadMicrosoft.Insights/LogDefinitions/Read 此权限对于需要通过门户访问活动日志的用户是必需的。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/LogProfiles/[Read, Write, Delete]Microsoft.Insights/LogProfiles/[Read, Write, Delete] 读取/写入/删除日志配置文件(将活动日志流式传输到事件中心或存储帐户)。Read/write/delete log profiles (streaming Activity Log to event hub or storage account).
Microsoft.Insights/MetricAlerts/[Read, Write, Delete]Microsoft.Insights/MetricAlerts/[Read, Write, Delete] 读取/写入/删除准实时指标警报Read/write/delete near real-time metric alerts
Microsoft.Insights/MetricDefinitions/ReadMicrosoft.Insights/MetricDefinitions/Read 读取指标定义(资源的可用指标类型的列表)。Read metric definitions (list of available metric types for a resource).
Microsoft.Insights/Metrics/ReadMicrosoft.Insights/Metrics/Read 读取资源的指标。Read metrics for a resource.
Microsoft.Insights/Register/ActionMicrosoft.Insights/Register/Action 注册 Azure Monitor 资源提供程序。Register the Azure Monitor resource provider.
Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete]Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] 在 Azure Monitor 中读取/写入/删除日志警报。Read/write/delete log alerts in Azure Monitor.

备注

对资源的警报、诊断设置和指标的访问需要用户具有资源类型和该资源的作用域的读取访问权限。Access to alerts, diagnostic settings, and metrics for a resource requires that the user has Read access to the resource type and scope of that resource. 创建(“写入”)存档到存储帐户或传输到事件中心的诊断设置或日志配置文件需要用户还具有目标资源的 ListKeys 权限。Creating (“write”) a diagnostic setting or log profile that archives to a storage account or streams to event hubs requires the user to also have ListKeys permission on the target resource.

例如,可以使用上表,针对“活动日志读取者”创建类似于下面的 Azure 自定义角色:For example, using the above table you could create an Azure custom role for an “Activity Log Reader” like this:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Activity Log Reader"
$role.Description = "Can view activity logs."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Insights/eventtypes/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription")
New-AzRoleDefinition -Role $role 

监视数据的安全注意事项Security considerations for monitoring data

监视的数据 — 尤其是日志文件 — 可能包含敏感信息,如 IP 地址或用户名。Monitoring data—particularly log files—can contain sensitive information, such as IP addresses or user names. 在 Azure 中监视的数据有三种基本形式:Monitoring data from Azure comes in three basic forms:

  1. 活动日志,描述 Azure 订阅的所有控制平面操作。The Activity Log, which describes all control-plane actions on your Azure subscription.
  2. 资源日志,由资源发出的日志文件。resource logs, which are logs emitted by a resource.
  3. 指标,由资源发出。Metrics, which are emitted by resources.

所有这三种数据类型可以存储在存储帐户或传输到事件中心,两者都是通用的 Azure 资源。All three of these data types can be stored in a storage account or streamed to Event Hub, both of which are general-purpose Azure resources. 由于这些是通用的资源,因此创建、删除和访问它们是一项预留给管理员的权限操作。Because these are general-purpose resources, creating, deleting, and accessing them is a privileged operation reserved for an administrator. 我们建议对监视相关的资源使用以下做法,以防止误用:We suggest that you use the following practices for monitoring-related resources to prevent misuse:

  • 使用单个、专用存储帐户来监视数据。Use a single, dedicated storage account for monitoring data. 如果需要将监视数据划分到多个存储帐户,那么请勿在监视数据和非监视数据之间共享存储帐户的使用,因为这可能会无意中给予那些仅需要访问监视数据(例如第三方 SIEM)的人访问非监控数据的权限。If you need to separate monitoring data into multiple storage accounts, never share usage of a storage account between monitoring and non-monitoring data, as this may inadvertently give those who only need access to monitoring data (for example, a third-party SIEM) access to non-monitoring data.
  • 与上述原因相同,请对所有诊断设置使用单个、专用的服务总线或事件中心命名空间。Use a single, dedicated Service Bus or Event Hub namespace across all diagnostic settings for the same reason as above.
  • 通过将监视相关的存储帐户或事件中心保存在单独的资源组中来限制对它们的访问,并对监视角色使用范围以限制仅访问该资源组。Limit access to monitoring-related storage accounts or event hubs by keeping them in a separate resource group, and use scope on your monitoring roles to limit access to only that resource group.
  • 当用户只需访问监视数据时,请勿授予订阅范围内的存储帐户或事件中心的 ListKeys 权限。Never grant the ListKeys permission for either storage accounts or event hubs at subscription scope when a user only needs access to monitoring data. 取而代之的是给予用户资源或资源组(如果有专用的监视资源组)范围的权限。Instead, give these permissions to the user at a resource or resource group (if you have a dedicated monitoring resource group) scope.

当用户或应用程序需要访问存储帐户中的监视数据时,应使用 blob 存储的服务级别的只读访问权限在包含监视数据的存储帐户上生成帐户 SASWhen a user or application needs access to monitoring data in a storage account, you should generate an Account SAS on the storage account that contains monitoring data with service-level read-only access to blob storage. 在 PowerShell 中,此操作如下所示:In PowerShell, this might look like:

$context = New-AzStorageContext -Environment AzureChinaCloud -ConnectionString "[connection string for your monitoring Storage Account]"
$token = New-AzStorageAccountSASToken -ResourceType Service -Service Blob -Permission "rl" -Context $context

然后可以将令牌提供给需要读取存储帐户的实体,它可以列出并读取存储帐户中的所有 blob。You can then give the token to the entity that needs to read from that storage account, and it can list and read from all blobs in that storage account.

或者,如果需要控制此 RBAC 的权限,可以授予该实体特定存储帐户的 Microsoft.Storage/storageAccounts/listkeys/action 权限。Alternatively, if you need to control this permission with RBAC, you can grant that entity the Microsoft.Storage/storageAccounts/listkeys/action permission on that particular storage account. 这对于需要能够设置存档到存储帐户的诊断设置或日志配置文件的用户来说是必需的。This is necessary for users who need to be able to set a diagnostic setting or log profile to archive to a storage account. 例如,对于只需读取一个存储帐户的用户或应用程序,可以创建以下 Azure 自定义角色:For example, you could create the following Azure custom role for a user or application that only needs to read from one storage account:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Monitoring Storage Account Reader"
$role.Description = "Can get the storage account keys for a monitoring storage account."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/storageAccounts/listkeys/action")
$role.Actions.Add("Microsoft.Storage/storageAccounts/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myMonitoringStorageAccount")
New-AzRoleDefinition -Role $role 

警告

ListKeys 权限使用户能够列出主要和辅助存储帐户密钥。The ListKeys permission enables the user to list the primary and secondary storage account keys. 这些密钥授予用户该存储帐户中的所有签名服务(blob、队列、表、文件)中的所有签名权限(读取、写入、创建 blob、删除 blob 等等)。These keys grant the user all signed permissions (read, write, create blobs, delete blobs, etc.) across all signed services (blob, queue, table, file) in that storage account. 如果可以,我们建议使用上述的帐户 SAS。We recommend using an Account SAS described above when possible.

事件中心可以遵循类似的模式,但首先需要创建专用的侦听授权规则。A similar pattern can be followed with event hubs, but first you need to create a dedicated Listen authorization rule. 如果想要将访问权限授予只需侦听与监视相关的事件中心的应用程序,请执行以下操作:If you want to grant, access to an application that only needs to listen to monitoring-related event hubs, do the following:

  1. 为事件中心创建共享访问策略,该事件中心是为传输仅包含侦听声明的监视数据而创建的。Create a shared access policy on the event hub(s) that were created for streaming monitoring data with only Listen claims. 可以在门户中完成此操作。This can be done in the portal. 例如,可以称它为“monitoringReadOnly”。For example, you might call it “monitoringReadOnly.” 如果可以,会希望将密钥直接提供给用户,并跳过下一步。If possible, you will want to give that key directly to the consumer and skip the next step.

  2. 如果使用者必须能够临时获取密钥,请向用户授予对该事件中心执行 ListKeys 操作的权限。If the consumer needs to be able to get the key ad hoc, grant the user the ListKeys action for that event hub. 这对于需要能够设置传输到事件中心的诊断设置或日志配置文件的用户来说也是必需的。This is also necessary for users who need to be able to set a diagnostic setting or log profile to stream to event hubs. 例如,可以创建 RBAC 规则:For example, you might create an RBAC rule:

    $role = Get-AzRoleDefinition "Reader"
    $role.Id = $null
    $role.Name = "Monitoring Event Hub Listener"
    $role.Description = "Can get the key to listen to an event hub streaming monitoring data."
    $role.Actions.Clear()
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/authorizationrules/listkeys/action")
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/Read")
    $role.AssignableScopes.Clear()
    $role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.ServiceBus/namespaces/mySBNameSpace")
    New-AzRoleDefinition -Role $role 
    

在受保护的虚拟网络中进行监视Monitoring within a secured Virtual Network

Azure Monitor 需要访问 Azure 资源以提供你启用的服务。Azure Monitor needs access to your Azure resources to provide the services you enable. 如果你想要监视 Azure 资源,同时仍然保护它们不被公共 Internet 访问,则可以启用以下设置。If you would like to monitor your Azure resources while still securing them from access to the Public Internet, you can enable the following settings.

安全存储帐户Secured Storage Accounts

监视数据通常会写入到存储帐户。Monitoring data is often written to a storage account. 你可能希望确保未经授权的用户无法访问复制到存储帐户的数据。You may want to make sure that the data copied to a Storage Account cannot be accessed by unauthorized users. 为了提高安全性,你可以通过限制存储帐户使用“所选网络”来锁定网络访问权限,以仅允许授权资源和受信任的 Microsoft 服务访问存储帐户。For additional security, you can lock down network access to only allow your authorized resources and trusted Microsoft services access to a storage account by restricting a storage account to use "selected networks". “Azure 存储设置”对话框 Azure Monitor 被视为“受信任的 Microsoft 服务”之一。如果你允许受信任的 Microsoft 服务访问安全存储,则 Azure Monitor 将可以访问安全存储帐户;在这些受保护的条件下,允许将 Azure Monitor 资源日志、活动日志和指标写入存储帐户。Azure Storage Settings Dialog Azure Monitor is considered one of these "trusted Microsoft services" If you allow trusted Microsoft services to access your Secured Storage, Azure monitor will have access to your secured Storage Account; enabling writing Azure Monitor resource logs, activity log, and metrics to your Storage Account under these protected conditions. 这还会使 Log Analytics 能够从受保护的存储中读取日志。This will also enable Log Analytics to read logs from secured storage.

有关详细信息,请参阅网络安全性和 Azure 存储For more information, see Network security and Azure Storage

后续步骤Next steps