Azure Monitor 的角色、权限和安全入门Get started with roles, permissions, and security with Azure Monitor

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

许多团队需要严格管制对监视数据与设置的访问。Many teams need to strictly regulate access to monitoring data and settings. 例如,如果有专门负责监视的团队成员(支持工程师、DevOps 工程师),或者使用托管服务提供程序,则可能希望向他们授予仅访问监视数据的权限,同时限制其创建、修改或删除资源的能力。For example, if you have team members who work exclusively on monitoring (support engineers, DevOps engineers) or if you use a managed service provider, you may want to grant them access to only monitoring data while restricting their ability to create, modify, or delete resources. 本文说明如何在 Azure 中快速将内置监视 RBAC 角色应用到用户,或针对需要有限监视权限的用户构建自己的自定义角色。This article shows how to quickly apply a built-in monitoring RBAC role to a user in Azure or build your own custom role for a user who needs limited monitoring permissions. 然后讨论与 Azure Monitor 相关资源的安全注意事项,以及如何限制对它们所含数据的访问。It then discusses security considerations for your Azure Monitor-related resources and how you can limit access to the data they contain.

内置监视角色Built-in monitoring roles

Azure 监视器的内置角色旨在帮助限制对订阅中资源的访问,同时仍然允许负责监视基础结构的人员获取和配置他们所需的数据。Azure Monitor’s built-in roles are designed to help limit access to resources in a subscription while still enabling those responsible for monitoring infrastructure to obtain and configure the data they need. Azure Monitor 提供两个现成的角色:“监视读者”和“监视参与者”。Azure Monitor provides two out-of-the-box roles: A Monitoring Reader and a Monitoring Contributor.

监视读取者Monitoring Reader

拥有“监视读取者”角色的人员可以查看订阅中的所有监视数据,但无法修改任何资源或编辑与监视资源相关的任何设置。People assigned the Monitoring Reader role can view all monitoring data in a subscription but cannot modify any resource or edit any settings related to monitoring resources. 此角色适用于组织中的用户,例如技术支持工程师或运营工程师,这些人员必须能够:This role is appropriate for users in an organization, such as support or operations engineers, who need to be able to:

  • 在门户中查看监视仪表板,以及创建自己的专用监视仪表板。View monitoring dashboards in the portal and create their own private monitoring dashboards.
  • 查看 Azure 警报中定义的预警规则View alert rules defined in Azure Alerts
  • 使用 Azure Monitor REST APIPowerShell cmdlet跨平台 CLI 查询指标。Query for metrics using the Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 使用门户、Azure Monitor REST API、PowerShell cmdlet 或跨平台 CLI 查询活动日志。Query the Activity Log using the portal, Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 查看资源的诊断设置View the diagnostic settings for a resource.
  • 查看订阅的日志配置文件View the log profile for a subscription.
  • 查看自动缩放设置。View autoscale settings.
  • 查看警报活动和设置。View alert activity and settings.
  • 访问 Application Insights 数据,查看 AI Analytics 中的数据。Access Application Insights data and view data in AI Analytics.
  • 搜索 Log Analytics 工作区数据(包括工作区的使用情况数据)。Search Log Analytics workspace data including usage data for the workspace.
  • 查看 Log Analytics 管理组。View Log Analytics management groups.
  • 在 Log Analytics 工作区中检索搜索架构。Retrieve the search schema in Log Analytics workspace.
  • 列出 Log Analytics 工作区中的监视包。List monitoring packs in Log Analytics workspace.
  • 检索并执行 Log Analytics 工作区中保存的搜索。Retrieve and execute saved searches in Log Analytics workspace.
  • 检索 Log Analytics 工作区存储配置。Retrieve the Log Analytics workspace storage configuration.

Note

此角色无法对已流式传输到事件中心或存储在存储帐户中的日志数据授予读取访问权限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 参阅下文 ,了解如何配置对这些资源的访问权限。See below for information on configuring access to these resources.

监视参与者Monitoring Contributor

拥有“监视参与者”角色的人员可以查看订阅中的所有监视数据,以及创建或修改监视设置,但无法修改其他任何资源。People assigned the Monitoring Contributor role can view all monitoring data in a subscription and create or modify monitoring settings, but cannot modify any other resources. 此角色是“监视读取者”角色的超集,适用于组织中的监视团队成员或托管服务提供商,这些人员除了上述权限外,还必须能够:This role is a superset of the Monitoring Reader role, and is appropriate for members of an organization’s monitoring team or managed service providers who, in addition to the permissions above, also need to be able to:

  • 将监视仪表板发布为共享仪表板。Publish monitoring dashboards as a shared dashboard.
  • 设置资源的诊断设置。*Set diagnostic settings for a resource.*
  • 设置订阅的日志配置文件。*Set the log profile for a subscription.*
  • 通过 Azure 警报设置预警规则活动和设置。Set alert rules activity and settings via Azure Alerts.
  • 创建 Application Insights Web 测试和组件。Create Application Insights web tests and components.
  • 列出 Log Analytics 工作区的共享密钥。List Log Analytics workspace shared keys.
  • 启用或禁用 Log Analytics 工作区中的监视包。Enable or disable monitoring packs in Log Analytics workspace.
  • 创建、删除和执行 Log Analytics 工作区中保存的搜索。Create and delete and execute saved searches in Log Analytics workspace.
  • 创建和删除 Log Analytics 工作区存储配置。Create and delete the Log Analytics workspace storage configuration.

*用户还必须分别被授予目标资源(存储帐户或事件中心命名空间)的 ListKeys 权限,才能设置日志配置文件或诊断设置。*user must also separately be granted ListKeys permission on the target resource (storage account or event hub namespace) to set a log profile or diagnostic setting.

Note

此角色无法对已流式传输到事件中心或存储在存储帐户中的日志数据授予读取访问权限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 参阅下文 ,了解如何配置对这些资源的访问权限。See below for information on configuring access to these resources.

监视权限和自定义 RBAC 角色Monitoring permissions and custom RBAC roles

如果上述内置角色不能满足团队的确切需求,可以使用更精细的权限 创建自定义的 RBAC 角色If the above built-in roles don’t meet the exact needs of your team, you can create a custom RBAC role with more granular permissions. 下面是常见的 Azure 监视器 RBAC 操作及其说明。Below are the common Azure Monitor RBAC operations with their descriptions.

操作Operation 说明Description
Microsoft.Insights/ActionGroups/[Read, Write, Delete]Microsoft.Insights/ActionGroups/[Read, Write, Delete] 读取/写入/删除操作组。Read/write/delete action groups.
Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete]Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete] 读取/写入/删除活动日志警报。Read/write/delete activity log alerts.
Microsoft.Insights/AlertRules/[Read, Write, Delete]Microsoft.Insights/AlertRules/[Read, Write, Delete] (从经典警报)读取/写入/删除警报规则。Read/write/delete alert rules (from alerts classic).
Microsoft.Insights/AlertRules/Incidents/ReadMicrosoft.Insights/AlertRules/Incidents/Read 列出警报规则的事件(触发警报规则的历史记录)。List incidents (history of the alert rule being triggered) for alert rules. 仅适用于门户。This only applies to the portal.
Microsoft.Insights/AutoscaleSettings/[Read, Write, Delete]Microsoft.Insights/AutoscaleSettings/[Read, Write, Delete] 读取/写入/删除自动调整规模设置。Read/write/delete autoscale settings.
Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete]Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete] 读取/写入/删除诊断设置。Read/write/delete diagnostic settings.
Microsoft.Insights/EventCategories/ReadMicrosoft.Insights/EventCategories/Read 枚举活动日志中所有可能的类别。Enumerate all categories possible in the Activity Log. 由 Azure 门户使用。Used by the Azure portal.
Microsoft.Insights/eventtypes/digestevents/ReadMicrosoft.Insights/eventtypes/digestevents/Read 此权限对于需要通过门户访问活动日志的用户是必需的。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/eventtypes/values/ReadMicrosoft.Insights/eventtypes/values/Read 列出订阅中的活动日志事件(管理事件)。List Activity Log events (management events) in a subscription. 此权限适用于以编程方式和通过门户访问活动日志。This permission is applicable to both programmatic and portal access to the Activity Log.
Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete]Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete] 读取/写入/删除网络流日志的诊断设置。Read/write/delete diagnostic settings for network flow logs.
Microsoft.Insights/LogDefinitions/ReadMicrosoft.Insights/LogDefinitions/Read 此权限对于需要通过门户访问活动日志的用户是必需的。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/LogProfiles/[Read, Write, Delete]Microsoft.Insights/LogProfiles/[Read, Write, Delete] 读取/写入/删除日志配置文件(将活动日志流式传输到事件中心或存储帐户)。Read/write/delete log profiles (streaming Activity Log to event hub or storage account).
Microsoft.Insights/MetricAlerts/[Read, Write, Delete]Microsoft.Insights/MetricAlerts/[Read, Write, Delete] 读取/写入/删除准实时指标警报Read/write/delete near real-time metric alerts
Microsoft.Insights/MetricDefinitions/ReadMicrosoft.Insights/MetricDefinitions/Read 读取指标定义(资源的可用指标类型的列表)。Read metric definitions (list of available metric types for a resource).
Microsoft.Insights/Metrics/ReadMicrosoft.Insights/Metrics/Read 读取资源的指标。Read metrics for a resource.
Microsoft.Insights/Register/ActionMicrosoft.Insights/Register/Action 注册 Azure Monitor 资源提供程序。Register the Azure Monitor resource provider.
Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete]Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] 在 Azure Monitor 中读取/写入/删除日志警报。Read/write/delete log alerts in Azure Monitor.

Note

若要访问警报、诊断设置和资源的指标,用户必须对资源类型和该资源的范围拥有读取访问权限。Access to alerts, diagnostic settings, and metrics for a resource requires that the user has Read access to the resource type and scope of that resource. 创建(“写入”)存档到存储帐户或传输到事件中心的诊断设置或日志配置文件需要用户还具有目标资源的 ListKeys 权限。Creating (“write”) a diagnostic setting or log profile that archives to a storage account or streams to event hubs requires the user to also have ListKeys permission on the target resource.

例如,使用上面的表格可以为“Activity Log Reader”创建如下的自定义 RBAC 角色:For example, using the above table you could create a custom RBAC role for an “Activity Log Reader” like this:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Activity Log Reader"
$role.Description = "Can view activity logs."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Insights/eventtypes/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription")
New-AzRoleDefinition -Role $role 

监视数据的安全注意事项Security considerations for monitoring data

监视数据(尤其是日志文件)可能包含敏感信息,例如 IP 地址或用户名。Monitoring data—particularly log files—can contain sensitive information, such as IP addresses or user names. Azure 中的监视数据采用三种基本形式:Monitoring data from Azure comes in three basic forms:

  1. 活动日志,描述 Azure 订阅中的所有控制面操作。The Activity Log, which describes all control-plane actions on your Azure subscription.
  2. 诊断日志,由资源发出的日志文件。Diagnostic Logs, which are logs emitted by a resource.
  3. 资源发出的指标。Metrics, which are emitted by resources.

这三种类型的数据都可以存储在存储帐户中或流式传输到事件中心,存储帐户和事件中心属于通用 Azure 资源。All three of these data types can be stored in a storage account or streamed to Event Hub, both of which are general-purpose Azure resources. 由于这些是通用的资源,因此创建、删除和访问它们是一项预留给管理员的权限操作。Because these are general-purpose resources, creating, deleting, and accessing them is a privileged operation reserved for an administrator. 我们建议对监视相关的资源采取以下做法,防止不当使用:We suggest that you use the following practices for monitoring-related resources to prevent misuse:

  • 使用单个、专用存储帐户来监视数据。Use a single, dedicated storage account for monitoring data. 如果需要将监视数据划分到多个存储帐户,那么请勿在监视数据和非监视数据之间共享存储帐户的使用,因为这可能会无意中给予那些仅需要访问监视数据(例如第三方 SIEM)的人访问非监控数据的权限。If you need to separate monitoring data into multiple storage accounts, never share usage of a storage account between monitoring and non-monitoring data, as this may inadvertently give those who only need access to monitoring data (for example, a third-party SIEM) access to non-monitoring data.
  • 为所有诊断设置专门使用一个服务总线或事件中心命名空间,原因同上。Use a single, dedicated Service Bus or Event Hub namespace across all diagnostic settings for the same reason as above.
  • 通过将监视相关的存储帐户或事件中心保留在不同的资源组中来限制对它们的访问,并对监视角色 使用范围 ,将访问权限限定于该资源组。Limit access to monitoring-related storage accounts or event hubs by keeping them in a separate resource group, and use scope on your monitoring roles to limit access to only that resource group.
  • 当用户只需访问监视数据时,请勿授予订阅范围内的存储帐户或事件中心的 ListKeys 权限。Never grant the ListKeys permission for either storage accounts or event hubs at subscription scope when a user only needs access to monitoring data. 取而代之的是给予用户资源或资源组(如果有专用的监视资源组)范围的权限。Instead, give these permissions to the user at a resource or resource group (if you have a dedicated monitoring resource group) scope.

当用户或应用程序需要访问存储帐户中的监视数据时,应使用 blob 存储的服务级别的只读访问权限在包含监视数据的存储帐户上生成帐户 SASWhen a user or application needs access to monitoring data in a storage account, you should generate an Account SAS on the storage account that contains monitoring data with service-level read-only access to blob storage. 在 PowerShell 中,相应的命令如下所示:In PowerShell, this might look like:

$context = New-AzStorageContext -Environment AzureChinaCloud -ConnectionString "[connection string for your monitoring Storage Account]"
$token = New-AzStorageAccountSASToken -ResourceType Service -Service Blob -Permission "rl" -Context $context

可将令牌提供给需要读取该存储帐户的实体,该实体即可列出和读取该存储帐户的所有 Blob 中的数据。You can then give the token to the entity that needs to read from that storage account, and it can list and read from all blobs in that storage account.

或者,如果需要使用 RBAC 控制此权限,可以向该实体授予对该特定存储帐户的 Microsoft.Storage/storageAccounts/listkeys/action 权限。Alternatively, if you need to control this permission with RBAC, you can grant that entity the Microsoft.Storage/storageAccounts/listkeys/action permission on that particular storage account. 需要指定诊断设置或要设置可存档到存储帐户的日志配置文件的用户必须拥有此权限。This is necessary for users who need to be able to set a diagnostic setting or log profile to archive to a storage account. 例如,可以为只需读取一个存储帐户的用户或应用程序创建以下自定义 RBAC 角色:For example, you could create the following custom RBAC role for a user or application that only needs to read from one storage account:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Monitoring Storage Account Reader"
$role.Description = "Can get the storage account keys for a monitoring storage account."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/storageAccounts/listkeys/action")
$role.Actions.Add("Microsoft.Storage/storageAccounts/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myMonitoringStorageAccount")
New-AzRoleDefinition -Role $role 

Warning

ListKeys 权限使用户能够列出主要和辅助存储帐户密钥。The ListKeys permission enables the user to list the primary and secondary storage account keys. 这些密钥授予用户该存储帐户中的所有签名服务(blob、队列、表、文件)中的所有签名权限(读取、写入、创建 blob、删除 blob 等等)。These keys grant the user all signed permissions (read, write, create blobs, delete blobs, etc.) across all signed services (blob, queue, table, file) in that storage account. 如果可以,我们建议使用上述的帐户 SAS。We recommend using an Account SAS described above when possible.

可对事件中心采用类似的模式,但首先需要创建专用的侦听授权规则。A similar pattern can be followed with event hubs, but first you need to create a dedicated Listen authorization rule. 如果想要将访问权限授予只需侦听与监视相关的事件中心的应用程序,请执行以下操作:If you want to grant, access to an application that only needs to listen to monitoring-related event hubs, do the following:

  1. 为事件中心创建共享访问策略,该事件中心是为传输仅包含侦听声明的监视数据而创建的。Create a shared access policy on the event hub(s) that were created for streaming monitoring data with only Listen claims. 可以在门户中完成此操作。This can be done in the portal. 例如,可以称它为“monitoringReadOnly”。For example, you might call it “monitoringReadOnly.” 如果可能,可以直接将该密钥提供给使用者,并跳过下一步骤。If possible, you will want to give that key directly to the consumer and skip the next step.

  2. 如果使用者必须能够临时获取密钥,请向用户授予对该事件中心执行 ListKeys 操作的权限。If the consumer needs to be able to get the key ad hoc, grant the user the ListKeys action for that event hub. 需要指定诊断设置或者要设置可流式传输到事件中心的日志配置文件的用户必须拥有此权限。This is also necessary for users who need to be able to set a diagnostic setting or log profile to stream to event hubs. 例如,可以创建一条 RBAC 规则:For example, you might create an RBAC rule:

    $role = Get-AzRoleDefinition "Reader"
    $role.Id = $null
    $role.Name = "Monitoring Event Hub Listener"
    $role.Description = "Can get the key to listen to an event hub streaming monitoring data."
    $role.Actions.Clear()
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/authorizationrules/listkeys/action")
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/Read")
    $role.AssignableScopes.Clear()
    $role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.ServiceBus/namespaces/mySBNameSpace")
    New-AzRoleDefinition -Role $role 
    

在受保护的虚拟网络中进行监视Monitoring within a secured Virtual Network

Azure Monitor 需要访问 Azure 资源以提供你启用的服务。Azure Monitor needs access to your Azure resources to provide the services you enable. 如果你想要监视 Azure 资源,同时仍然保护它们不被公共 Internet 访问,则可以启用以下设置。If you would like to monitor your Azure resources while still securing them from access to the Public Internet, you can enable the following settings.

安全存储帐户Secured Storage Accounts

监视数据通常会写入到存储帐户。Monitoring data is often written to a storage account. 你可能希望确保未经授权的用户无法访问复制到存储帐户的数据。You may want to make sure that the data copied to a Storage Account cannot be accessed by unauthorized users. 为了提高安全性,你可以通过限制存储帐户使用“所选网络”来锁定网络访问权限,以仅允许授权资源和受信任的 Azure 服务访问存储帐户。For additional security, you can lock down network access to only allow your authorized resources and trusted Azure services access to a storage account by restricting a storage account to use "selected networks". “Azure 存储设置”对话框 Azure Monitor 被视为“受信任的 Azure 服务”之一。如果你允许受信任的 Azure 服务访问安全存储,则 Azure Monitor 将可以访问安全存储帐户;在这些受保护的条件下,允许将 Azure Monitor 诊断日志、活动日志和指标写入存储帐户。Azure Storage Settings Dialog Azure Monitor is considered one of these "trusted Azure services" If you allow trusted Azure services to access your Secured Storage, Azure monitor will have access to your secured Storage Account; enabling writing Azure Monitor diagnostic logs, activity log, and metrics to your Storage Account under these protected conditions. 这还会使 Log Analytics 能够从受保护的存储中读取日志。This will also enable Log Analytics to read logs from secured storage.

有关详细信息,请参阅网络安全性和 Azure 存储For more information, see Network security and Azure Storage

后续步骤Next steps