适用于 Azure 资源管理器的 Azure 安全基线Azure security baseline for Azure Resource Manager

此安全基线将 Azure 安全基准 1.0 版中的指南应用到 Azure 资源管理器。This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure Resource Manager. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制按适用于 Azure 资源管理器的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Resource Manager. 已排除了不适用于 Azure 资源管理器的控制。Controls not applicable to Azure Resource Manager have been excluded.

若要了解 Azure 资源管理器如何完全映射到 Azure 安全基准,请参阅完整的 Azure 资源管理器安全基线映射文件To see how Azure Resource Manager completely maps to the Azure Security Benchmark, see the full Azure Resource Manager security baseline mapping file.

日志记录和监视Logging and Monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过 Azure Monitor 引入 Azure Policy 活动日志。Guidance: Ingest Azure Policy activity logs via Azure Monitor. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,使用 Azure 存储帐户进行长期存储或存档存储。Within Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long-term or archival storage.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 此策略可确保日志配置文件收集类别为 "write"、"delete" 和 "action" 的日志This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:Azure 资源管理器使用自动启用的活动日志来包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用的元素。Guidance: Azure Resource Manager uses activity logs, which are automatically enabled, to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视日志中的异常行为,并定期查看结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review the results. 使用 Azure Monitor 和 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor and a Log Analytics workspace to review logs and perform queries on log data.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:将 Azure 安全中心与 Log Analytics 配合使用,以便监视在活动日志中发现的异常活动并发出相关警报。Guidance: Use Azure Security Center with Log Analytics for monitoring and alerting on anomalous activity found in Activity logs.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

标识和访问控制Identity and Access Control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:借助 Azure 基于角色的访问控制 (RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance: Azure role-based access control (RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组服务主体和托管标识。You can assign these roles to users, groups service principals, and managed identities. 某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations . 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you can use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription
  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription
  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

还可以通过使用 Azure Active Directory (Azure AD) Privileged Identity Management 和 Azure 资源管理器来启用即时访问权限。You can also enable a Just-In-Time access by using Azure Active Directory (Azure AD) Privileged Identity Management and Azure Resource Manager.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations . 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证,并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Azure Security Center Identity and Access Management recommendations.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services. Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:对于需要提升的权限的管理任务,请使用安全的 Azure 托管工作站(也称为特权访问工作站,简称 PAW)。Guidance: Use a secure, Azure-managed workstation (also known as a Privileged Access Workstation, or PAW) for administrative tasks that require elevated privileges.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure Active Directory (Azure AD) 安全报告和监视,来检测环境中何时发生可疑或不安全的活动。Guidance: Use Azure Active Directory (Azure AD) security reports and monitoring to detect when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources only from approved locations

指导:使用 Azure Active Directory (Azure AD) 命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Azure Active Directory (Azure AD) named locations to allow access only from specific logical groupings of IP address ranges or countries/regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Azure Active Directory (Azure AD) named locations to allow access only from specific logical groupings of IP address ranges or countries/regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (Azure AD) 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. 此外,请使用 Azure AD 标识和访问评审来有效管理组成员身份、对企业应用程序的访问以及角色分配。In addition, use Azure AD identity and access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right users have continued access.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations . 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

[!INCLUDE [Resource Policy for Microsoft.Resources 3.10](../../../includes/policy/standards/asb/rp-controls/microsoft.resources-3-10.md][!INCLUDE [Resource Policy for Microsoft.Resources 3.10](../../../includes/policy/standards/asb/rp-controls/microsoft.resources-3-10.md]

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:你有权访问 Azure Active Directory (Azure AD) 登录活动、审核和风险事件日志源,因此可以与任何 SIEM/监视工具集成。Guidance: You have access to Azure Active Directory (Azure AD) sign-in activity, audit, and risk event log sources, which allow you to integrate with any SIEM/monitoring tool.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired alerts within Log Analytics workspace.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指导:请使用 Azure Active Directory (Azure AD) RBAC 来控制对数据和资源的访问,此外也可以使用特定于服务的访问控制方法。Guidance: Use Azure Active Directory (Azure AD) RBAC to control access to data and resources, otherwise use service-specific access control methods.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations . 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.AuthorizationAzure Policy built-in definitions - Microsoft.Authorization:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:对于服务器端静态加密,Azure 资源管理器支持 Azure 管理的密钥。Guidance: For server-side encryption at rest, Azure Resource Manager supports Azure-managed keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志配合使用,以创建在关键 Azure 资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts when changes take place to critical Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations . 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.ResourcesAzure Policy built-in definitions - Microsoft.Resources:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 来查询和发现订阅中的所有资源(如计算、存储、网络、端口和协议,等等)。Guidance: Use Azure Resource Graph to query for and discover all resources (such as compute, storage, network, ports, and protocols, and so on) in your subscriptions. 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources in your subscriptions.

尽管可以通过 Azure Resource Graph 浏览器来发现经典 Azure 资源,但我们还是强烈建议创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Azure Resource Graph Explorer, it is highly recommended to create and use Azure Resource Manager resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,使用 Azure Policy 对可使用以下内置策略定义在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

下面提供了更多相关的详细信息:More related details are provided below,

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准 Azure 资源的清单6.4: Define and maintain an inventory of approved Azure resources

指导:根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 确保环境中的所有 Azure 资源均已获得批准。Ensure that all Azure resources present in the environment are approved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

下面提供了更多相关的详细信息:More related details are provided below,

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure Active Directory (Azure AD) 条件访问来限制用户与 Azure 资源管理器交互的能力。Guidance: Use Azure Active Directory (Azure AD) Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Azure Management" App.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.12:限制用户在计算资源中执行脚本的能力6.12: Limit users' ability to execute scripts in compute resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

安全配置Secure Configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的配置。Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. 你还可以使用内置的 Azure Policy 定义。You may also use built-in Azure Policy definitions.

Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足组织的安全要求。Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.

还可以使用来自 Azure 安全中心的建议作为 Azure 资源的安全配置基线。You can also use the recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. 此外,你可以使用 Azure 资源管理器模板维护组织所需的 Azure 资源的安全配置。In addition, you can use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.

另外,作为管理员,你可能需要锁定订阅、资源组或资源,以防止组织中的其他用户意外删除或修改关键资源。Additionally, as an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. 可以将锁定级别设置为 CanNotDelete 或 ReadOnly。You can set the lock level to CanNotDelete or ReadOnly.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:使用 Azure DevOps 安全地存储和管理代码,例如自定义 Azure Policy 定义、Azure 资源管理器模板和 Desired State Configuration 脚本。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions, Azure Resource Manager templates, and desired state configuration scripts. 若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的网络配置。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. 还可以使用与特定资源相关的内置策略定义。You can also make use of built-in policy definitions related to your specific resources. 此外,也可以使用 Azure 自动化来部署配置更改。Additionally, you can use Azure Automation to deploy configuration changes.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用内置 Azure Policy 定义以及自定义策略来审核、强制实施系统配置并发出相关警报。Guidance: Use built-in Azure Policy definitions as well as custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”自动强制实施 Azure 资源的配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指导:在构造 ARM 模板时请使用建议的做法,这些建议有助于在使用 ARM 模板来部署解决方案时避免出现常见问题。Guidance: Use recommended practices when constructing your ARM template, these recommendations help you avoid common problems when using an ARM template to deploy a solution.

实施凭据扫描程序来识别代码中的凭据。Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据恢复Data Recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data Recovery.

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:确保能够将 Azure 资源管理器模板定期部署到隔离订阅(如果有必要)。Guidance: Ensure ability to periodically perform deployment of Azure Resource Manager templates on a regular basis to an isolated subscription if necessary.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:使用 Azure DevOps 安全地存储和管理代码,例如自定义 Azure Policy 定义、Azure 资源管理器模板和 Desired State Configuration 脚本。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions, Azure Resource Manager templates, and desired state configuration scripts. 若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 查明弱点和差距,并根据需要修改你的响应计划。Identify weak points and gaps and then revise your response plan as needed.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议,以便确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You can use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心的工作流自动化功能,针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

后续步骤Next steps