Azure SQL 数据库和 SQL 托管实例的 Azure Policy 法规遵从性控制Azure Policy Regulatory Compliance controls for Azure SQL Database & SQL Managed Instance

适用于: Azure SQL 数据库 Azure SQL 托管实例

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控制措施”提供 Azure 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出 Azure SQL 数据库和 SQL 托管实例的“符合域”和“安全控件” 。This page lists the compliance domains and security controls for Azure SQL Database and SQL Managed Instance. 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准Azure Security Benchmark

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.52.5 配置安全日志存储保留期Configure security log storage retention 应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.72.7 启用针对异常活动的警报Enable alerts for anomalous activity 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
日志记录和监视Logging and Monitoring 2.72.7 启用针对异常活动的警报Enable alerts for anomalous activity 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
标识和访问控制Identity and Access Control 3.93.9 使用 Azure Active DirectoryUse Azure Active Directory 应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 1.0.01.0.0
数据保护Data Protection 4.14.1 维护敏感信息清单Maintain an inventory of sensitive Information 应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified 1.0.0-preview1.0.0-preview
数据保护Data Protection 4.54.5 使用有效的发现工具识别敏感数据Use an active discovery tool to identify sensitive data 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
数据保护Data Protection 4.54.5 使用有效的发现工具识别敏感数据Use an active discovery tool to identify sensitive data 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
数据保护Data Protection 4.54.5 使用有效的发现工具识别敏感数据Use an active discovery tool to identify sensitive data 应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified 1.0.0-preview1.0.0-preview
数据保护Data Protection 4.84.8 加密静态的敏感信息Encrypt sensitive information at rest 应使用自己的密钥加密 SQL 托管实例的 TDE 保护程序SQL Managed Instance TDE protector should be encrypted with your own key 1.0.11.0.1
数据保护Data Protection 4.84.8 加密静态的敏感信息Encrypt sensitive information at rest 应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 1.0.01.0.0
数据保护Data Protection 4.84.8 加密静态的敏感信息Encrypt sensitive information at rest 应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 1.0.01.0.0
漏洞管理Vulnerability Management 5.15.1 运行自动化漏洞扫描工具Run automated vulnerability scanning tools 应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 1.0.11.0.1
漏洞管理Vulnerability Management 5.15.1 运行自动化漏洞扫描工具Run automated vulnerability scanning tools 应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 1.0.01.0.0
漏洞管理Vulnerability Management 5.55.5 使用风险评分流程确定所发现漏洞的修正优先级Use a risk-rating process to prioritize the remediation of discovered vulnerabilities 应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 1.0.01.0.0
数据恢复Data Recovery 9.19.1 确保定期执行自动备份Ensure regular automated back ups 应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 1.0.01.0.0
数据恢复Data Recovery 9.29.2 执行完整的系统备份并备份所有客户管理的密钥Perform complete system backups and backup any customer managed keys 应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 1.0.01.0.0

CIS Microsoft Azure 基础基准CIS Microsoft Azure Foundations Benchmark

有关此符合性标准的详细信息,请参阅 CIS Microsoft Azure 基础基准For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
安全中心Security Center 2.142.14 确保 ASC 默认策略设置“监视 SQL 审核”不是处于“已禁用”状态Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
安全中心Security Center 2.152.15 确保 ASC 默认策略设置“监视 SQL 加密”不是处于“已禁用”状态Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" 应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 1.0.01.0.0
数据库服务Database Services 4.14.1 确保“审核”设置为“打开”Ensure that 'Auditing' is set to 'On' 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
数据库服务Database Services 4.24.2 确保在“审核”策略中为 SQL 服务器正确设置“AuditActionGroups”Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.01.0.0
数据库服务Database Services 4.34.3 确保审核保留期“大于 90 天”Ensure that 'Auditing' Retention is 'greater than 90 days' 应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 1.0.01.0.0
数据库服务Database Services 4.44.4 确保将 SQL 服务器上的“高级数据安全性”设置为“打开”Ensure that 'Advanced Data Security' on a SQL server is set to 'On' 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
数据库服务Database Services 4.44.4 确保将 SQL 服务器上的“高级数据安全性”设置为“打开”Ensure that 'Advanced Data Security' on a SQL server is set to 'On' 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
数据库服务Database Services 4.84.8 确保配置 Azure Active Directory 管理员Ensure that Azure Active Directory Admin is configured 应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 1.0.01.0.0
数据库服务Database Services 4.94.9 确保将 SQL 数据库上的“数据加密”设置为“打开”Ensure that 'Data encryption' is set to 'On' on a SQL Database 应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 1.0.01.0.0
数据库服务Database Services 4.104.10 确保使用 BYOK(使用自己的密钥)加密 SQL 服务器的 TDE 保护器Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) 应使用自己的密钥加密 SQL 托管实例的 TDE 保护程序SQL Managed Instance TDE protector should be encrypted with your own key 1.0.11.0.1
数据库服务Database Services 4.104.10 确保使用 BYOK(使用自己的密钥)加密 SQL 服务器的 TDE 保护器Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) 应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 1.0.01.0.0

NIST SP 800-171 R2NIST SP 800-171 R2

有关此符合性标准的详细信息,请参阅 NIST SP 800-171 R2For more information about this compliance standard, see NIST SP 800-171 R2.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
审核和责任Audit and Accountability 3.3.13.3.1 创建并保留系统审核日志和记录,确保能够监视、分析、调查和报告非法或未经授权的系统活动。Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
审核和责任Audit and Accountability 3.3.13.3.1 创建并保留系统审核日志和记录,确保能够监视、分析、调查和报告非法或未经授权的系统活动。Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability 3.3.13.3.1 创建并保留系统审核日志和记录,确保能够监视、分析、调查和报告非法或未经授权的系统活动。Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
审核和责任Audit and Accountability 3.3.23.3.2 确保单独系统用户的操作可唯一地跟踪到这些用户,让他们能够对自己的操作负责。Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
审核和责任Audit and Accountability 3.3.23.3.2 确保单独系统用户的操作可唯一地跟踪到这些用户,让他们能够对自己的操作负责。Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability 3.3.23.3.2 确保单独系统用户的操作可唯一地跟踪到这些用户,让他们能够对自己的操作负责。Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
审核和责任Audit and Accountability 3.3.43.3.4 审核日志记录过程失败时发出警报。Alert in the event of an audit logging process failure. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
审核和责任Audit and Accountability 3.3.43.3.4 审核日志记录过程失败时发出警报。Alert in the event of an audit logging process failure. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability 3.3.43.3.4 审核日志记录过程失败时发出警报。Alert in the event of an audit logging process failure. 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
风险评估Risk Assessment 3.11.23.11.2 定期扫描组织系统和应用程序中的漏洞,并在发现会影响这些系统和应用程序的新漏洞时进行扫描。Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
风险评估Risk Assessment 3.11.23.11.2 定期扫描组织系统和应用程序中的漏洞,并在发现会影响这些系统和应用程序的新漏洞时进行扫描。Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
风险评估Risk Assessment 3.11.23.11.2 定期扫描组织系统和应用程序中的漏洞,并在发现会影响这些系统和应用程序的新漏洞时进行扫描。Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. 应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 1.0.01.0.0
系统和通信保护System and Communications Protection 3.13.163.13.16 保护静态 CUI 的机密性。Protect the confidentiality of CUI at rest. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
系统和通信保护System and Communications Protection 3.13.163.13.16 保护静态 CUI 的机密性。Protect the confidentiality of CUI at rest. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
系统和通信保护System and Communications Protection 3.13.163.13.16 保护静态 CUI 的机密性。Protect the confidentiality of CUI at rest. 应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 1.0.01.0.0
系统和信息完整性System and Information Integrity 3.14.13.14.1 及时识别、报告和更正系统缺陷。Identify, report, and correct system flaws in a timely manner. 应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 1.0.01.0.0
系统和信息完整性System and Information Integrity 3.14.63.14.6 监视组织系统(包括入站和出站通信流量),检测攻击和潜在攻击的指示。Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
系统和信息完整性System and Information Integrity 3.14.63.14.6 监视组织系统(包括入站和出站通信流量),检测攻击和潜在攻击的指示。Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0

NIST SP 800-53 R4NIST SP 800-53 R4

有关此符合性标准的详细信息,请参阅 NIST SP 800-53 R4For more information about this compliance standard, see NIST SP 800-53 R4.

Domain 控制 IDControl ID 控制标题Control Title 策略Policy
(Azure 门户)(Azure portal)
Policy 版本Policy Version
(GitHub)(GitHub)
访问控制Access Control AC-2 (7)AC-2 (7) 帐户管理 | 基于角色的方案Account Management | Role-Based Schemes 应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 1.0.01.0.0
访问控制Access Control AC-16AC-16 安全属性Security Attributes 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
访问控制Access Control AC-16AC-16 安全属性Security Attributes 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability AU-5AU-5 对审核处理失败的响应Response to Audit Processing Failures 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
审核和责任Audit and Accountability AU-5AU-5 对审核处理失败的响应Response to Audit Processing Failures 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability AU-5AU-5 对审核处理失败的响应Response to Audit Processing Failures 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
审核和责任Audit and Accountability AU-12AU-12 审核生成Audit Generation 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
审核和责任Audit and Accountability AU-12AU-12 审核生成Audit Generation 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
审核和责任Audit and Accountability AU-12AU-12 审核生成Audit Generation 应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 1.0.01.0.0
风险评估Risk Assessment RA-5RA-5 漏洞扫描Vulnerability Scanning 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
风险评估Risk Assessment RA-5RA-5 漏洞扫描Vulnerability Scanning 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
风险评估Risk Assessment RA-5RA-5 漏洞扫描Vulnerability Scanning 应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 1.0.01.0.0
系统和通信保护System and Communications Protection SC-28 (1)SC-28 (1) 保护静态信息 | 加密保护Protection of Information at Rest | Cryptographic Protection 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
系统和通信保护System and Communications Protection SC-28 (1)SC-28 (1) 保护静态信息 | 加密保护Protection of Information at Rest | Cryptographic Protection 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0
系统和通信保护System and Communications Protection SC-28 (1)SC-28 (1) 保护静态信息 | 加密保护Protection of Information at Rest | Cryptographic Protection 应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 1.0.01.0.0
系统和信息完整性System and Information Integrity SI-2SI-2 缺陷修正Flaw Remediation 应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 1.0.01.0.0
系统和信息完整性System and Information Integrity SI-4SI-4 信息系统监视Information System Monitoring 应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 1.0.11.0.1
系统和信息完整性System and Information Integrity SI-4SI-4 信息系统监视Information System Monitoring 应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 1.0.01.0.0

后续步骤Next steps