Azure 资源管理器的安全控制Security controls for Azure Resource Manager

本文介绍 Azure 资源管理器中内置的安全控制。This article documents the security controls built into Azure Resource Manager.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes
服务器端静态加密:Azure 托管的密钥Server-side encryption at rest: Azure-managed keys Yes
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes HTTPS/TLS。HTTPS/TLS.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) 空值N/A Azure 资源管理器不存储客户内容,仅存储控制数据。Azure Resource Manager stores no customer content, only control data.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) Yes
加密的 API 调用API calls encrypted Yes


安全控制Security control Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support No
VNet 注入支持VNet injection support Yes
网络隔离和防火墙支持Network isolation and firewalling support No
强制隧道支持Forced tunneling support No

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) No
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 活动日志公开对资源执行的所有写入操作(PUT、POST、DELETE);请参阅查看活动日志来审核对资源的操作Activity logs expose all write operations (PUT, POST, DELETE) performed on your resources; see View activity logs to audit actions on resources.
数据平面日志记录和审核Data plane logging and audit 不适用N/A


安全控制Security control Yes/NoYes/No 注释Notes
身份验证Authentication Yes 基于 Azure Active DirectoryAzure Active Directory based.
授权Authorization Yes

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes

后续步骤Next steps