Azure Monitor 的 Azure Policy 法规符合性控制Azure Policy Regulatory Compliance controls for Azure Monitor

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控件”提供 Microsoft 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出 Azure Monitor 的“符合域”和“安全控件”。This page lists the compliance domains and security controls for Azure Monitor. 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准Azure Security Benchmark

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
日志记录和监视Logging and Monitoring 2.22.2 配置安全日志集中管理Configure central security log management Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.22.2 配置安全日志集中管理Configure central security log management Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 审核诊断设置Audit diagnostic setting 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 Azure Data Lake Store 的诊断日志Diagnostic logs in Azure Data Lake Store should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 Data Lake Analytics 的诊断日志Diagnostic logs in Data Lake Analytics should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 IoT 中心的诊断日志Diagnostic logs in IoT Hub should be enabled 2.0.02.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 3.0.03.0.0
数据保护Data Protection 4.94.9 记录对关键 Azure 资源的更改并发出警报Log and alert on changes to critical Azure resources Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 1.0.01.0.0

CIS Azure 基础基准检验CIS Azure Foundations Benchmark

有关此符合性标准的详细信息,请参阅 CIS Azure 基础基准检验For more information about this compliance standard, see CIS Azure Foundations Benchmark.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
日志记录和监视Logging and Monitoring 5.1.15.1.1 确保日志配置文件存在Ensure that a Log Profile exists Azure 订阅应有用于活动日志的日志配置文件Azure subscriptions should have a log profile for Activity Log 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.1.25.1.2 确保将“活动日志保留期”设置为 365 天或更长时间Ensure that Activity Log Retention is set 365 days or greater 活动日志至少应保留一年Activity log should be retained for at least one year 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.1.35.1.3 确保审核配置文件捕获所有活动Ensure audit profile captures all the activities Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.1.45.1.4 确保日志配置文件捕获所有区域(包括全球)的活动日志Ensure the log profile captures activity logs for all regions including global Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.1.65.1.6 确保使用 BYOK(使用自己的密钥)对存储帐户(包含的容器具有活动日志)加密Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) 必须使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密Storage account containing the container with activity logs must be encrypted with BYOK 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.1.75.1.7 确保 Azure KeyVault 日志记录设置为“已启用”Ensure that logging for Azure KeyVault is 'Enabled' 应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 3.0.03.0.0
日志记录和监视Logging and Monitoring 5.2.15.2.1 确保存在“创建策略分配”的活动日志警报Ensure that Activity Log Alert exists for Create Policy Assignment 特定策略操作应有活动日志警报An activity log alert should exist for specific Policy operations 2.0.02.0.0
日志记录和监视Logging and Monitoring 5.2.25.2.2 确保存在“创建或更新网络安全组”的活动日志警报Ensure that Activity Log Alert exists for Create or Update Network Security Group 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.35.2.3 确保存在“删除网络安全组”的活动日志警报Ensure that Activity Log Alert exists for Delete Network Security Group 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.45.2.4 确保存在“创建或更新网络安全组规则”的活动日志警报Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.55.2.5 确保存在“删除网络安全组规则”的活动日志警报Ensure that activity log alert exists for the Delete Network Security Group Rule 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.65.2.6 确保存在“创建或更新安全解决方案”的活动日志警报Ensure that Activity Log Alert exists for Create or Update Security Solution 特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.75.2.7 确保存在“删除安全解决方案”的活动日志警报Ensure that Activity Log Alert exists for Delete Security Solution 特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.85.2.8 确保存在“创建、更新或删除 SQL Server 防火墙规则”的活动日志警报Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.85.2.8 确保存在“创建、更新或删除 SQL Server 防火墙规则”的活动日志警报Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
日志记录和监视Logging and Monitoring 5.2.95.2.9 确保存在“更新安全策略”的活动日志警报Ensure that Activity Log Alert exists for Update Security Policy 特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 1.0.01.0.0

HIPAA HITRUST 9.2HIPAA HITRUST 9.2

有关此合规性标准的详细信息,请参阅 HIPAA HITRUST 9.2For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
审核日志Audit Logging 1202.09aa1System.1 - 09.aa1202.09aa1System.1 - 09.aa 为系统上的所有活动(创建、读取、更新、删除)创建安全审核记录,涉及涵盖的信息。A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. 应启用 Azure Data Lake Store 的诊断日志Diagnostic logs in Azure Data Lake Store should be enabled 3.0.03.0.0
审核日志Audit Logging 1203.09aa1System.2 - 09.aa1203.09aa1System.2 - 09.aa 审核记录包括唯一用户 ID、唯一数据主体 ID、执行的功能以及执行事件的日期/时间。Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. 应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 3.0.03.0.0
审核日志Audit Logging 1204.09aa1System.3 - 09.aa1204.09aa1System.3 - 09.aa 特权用户(管理员、操作员等)的活动包括事件的成功/失败、事件发生的时间、涉及的帐户、涉及的进程以及有关事件的其他信息。The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. 应启用 IoT 中心的诊断日志Diagnostic logs in IoT Hub should be enabled 2.0.02.0.0
审核日志Audit Logging 1205.09aa2System.1 - 09.aa1205.09aa2System.1 - 09.aa 保留发送和接收的消息的日志,包括消息的日期、时间、来源和目标,但不包括其内容。Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. 应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 3.0.03.0.0
审核日志Audit Logging 1207.09aa2System.4 - 09.aa1207.09aa2System.4 - 09.aa 审核记录保留 90 天,更早的审核记录存档一年。Audit records are retained for 90 days and older audit records are archived for one year. 应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 3.0.03.0.0
审核日志Audit Logging 1207.09aa2System.4 - 09.aa1207.09aa2System.4 - 09.aa 审核记录保留 90 天,更早的审核记录存档一年。Audit records are retained for 90 days and older audit records are archived for one year. 应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 3.0.03.0.0
审核日志Audit Logging 1208.09aa3System.1 - 09.aa1208.09aa3System.1 - 09.aa 对于管理活动、系统和应用程序启动/关闭/错误、文件更改和安全策略更改,保留审核日志。Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. 应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 3.0.03.0.0
审核日志Audit Logging 1208.09aa3System.1 - 09.aa1208.09aa3System.1 - 09.aa 对于管理活动、系统和应用程序启动/关闭/错误、文件更改和安全策略更改,保留审核日志。Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. 应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 3.0.03.0.0
审核日志Audit Logging 1210.09aa3System.3 - 09.aa1210.09aa3System.3 - 09.aa 记录在组织内外对涵盖的信息进行的所有披露,包括披露类型、事件的日期/时间、收件人和发件人。All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. 审核诊断设置Audit diagnostic setting 1.0.01.0.0
审核日志Audit Logging 1210.09aa3System.3 - 09.aa1210.09aa3System.3 - 09.aa 记录在组织内外对涵盖的信息进行的所有披露,包括披露类型、事件的日期/时间、收件人和发件人。All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. 应启用 Data Lake Analytics 的诊断日志Diagnostic logs in Data Lake Analytics should be enabled 3.0.03.0.0
审核日志Audit Logging 1211.09aa3System.4 - 09.aa1211.09aa3System.4 - 09.aa 组织每九十 (90) 天对记录的所涵盖信息的每次提取进行一次验证,以确认数据是否已删除或仍需使用。The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. 应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 3.0.03.0.0
监视系统使用情况Monitoring System Use 1120.09ab3System.9 - 09.ab1120.09ab3System.9 - 09.ab 至少每季度监视并审查一次与信息系统的未授权远程连接,如果发现未经授权的连接,则将采取相应措施。Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 1.0.01.0.0
监视系统使用情况Monitoring System Use 1212.09ab1System.1 - 09.ab1212.09ab1System.1 - 09.ab 满足与监视授权访问和未授权访问尝试有关的所有适用法律要求。All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.01.0.0
监视系统使用情况Monitoring System Use 1214.09ab2System.3456 - 09.ab1214.09ab2System.3456 - 09.ab 监视包括特权操作、授权访问或未授权访问尝试,这些尝试包括对停用帐户以及系统警报或故障的访问尝试。Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 1.0.01.0.0
监视系统使用情况Monitoring System Use 1219.09ab3System.10 - 09.ab1219.09ab3System.10 - 09.ab 信息系统能够根据可选标准自动处理所关注事件的审核记录。The information system is able to automatically process audit records for events of interest based on selectable criteria. Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.01.0.0
管理员和操作员日志Administrator and Operator Logs 1270.09ad1System.12 - 09.ad1270.09ad1System.12 - 09.ad 组织确保启用正确的日志记录,以便审核管理员活动;并定期审阅系统管理员和操作员日志。The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
管理员和操作员日志Administrator and Operator Logs 1271.09ad1System.1 - 09.ad1271.09ad1System.1 - 09.ad 在系统和网络管理员的控制之外托管的入侵检测系统用于监视系统和网络管理活动的合规性。An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 1.0.01.0.0
网络控制Network Controls 0860.09m1Organizational.9 - 09.m0860.09m1Organizational.9 - 09.m 组织正式管理网络上的设备,包括用户区域中的设备。The organization formally manages equipment on the network, including equipment in user areas. 为网络安全组部署诊断设置Deploy Diagnostic Settings for Network Security Groups 1.0.01.0.0

NIST SP 800-171 R2NIST SP 800-171 R2

有关此符合性标准的详细信息,请参阅 NIST SP 800-171 R2For more information about this compliance standard, see NIST SP 800-171 R2.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
审核和责任Audit and Accountability 3.3.13.3.1 创建并保留系统审核日志和记录,确保能够监视、分析、调查和报告非法或未经授权的系统活动。Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 审核诊断设置Audit diagnostic setting 1.0.01.0.0
审核和责任Audit and Accountability 3.3.23.3.2 确保单独系统用户的操作可唯一地跟踪到这些用户,让他们能够对自己的操作负责。Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. 审核诊断设置Audit diagnostic setting 1.0.01.0.0
审核和责任Audit and Accountability 3.3.43.3.4 审核日志记录过程失败时发出警报。Alert in the event of an audit logging process failure. 审核诊断设置Audit diagnostic setting 1.0.01.0.0

NIST SP 800-53 R4NIST SP 800-53 R4

有关此符合性标准的详细信息,请参阅 NIST SP 800-53 R4For more information about this compliance standard, see NIST SP 800-53 R4.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
审核和责任Audit and Accountability AU-5AU-5 对审核处理失败的响应Response to Audit Processing Failures 审核诊断设置Audit diagnostic setting 1.0.01.0.0
审核和责任Audit and Accountability AU-12AU-12 审核生成Audit Generation 审核诊断设置Audit diagnostic setting 1.0.01.0.0

后续步骤Next steps