Azure Cosmos DB 的安全属性Security attributes for Azure Cosmos DB

本文介绍 Azure Cosmos DB 中内置的安全属性。This article documents the security attributes built into Azure Cosmos DB.

安全属性是 Azure 服务的质量或功能。A security attribute is a quality or feature of an Azure service. 它有助于服务预防、检测和响应安全漏洞。It contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

安全属性分为以下几类:Security attributes are categorized as:

  • 预防Preventative
  • 网络分段Network segmentation
  • 检测Detection
  • 支持标识和访问管理Support for identity and access management
  • 审核线索Audit trail
  • 访问控制(如果使用)Access controls (if used)
  • 配置管理(如果使用)Configuration management (if used)

在每个类别中,我们显示“是”或“否”以指示是否使用属性。In each category, we show "Yes" or "No" to indicate whether an attribute is used. 对于某些服务,我们为不适用的属性显示“N/A”。For some services, we show "N/A" for an attribute that is not applicable. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or a link to more information about an attribute.

预防Preventative

安全属性Security attribute 是/否Yes/no 注释Notes
静态加密(例如服务器端加密、带客户托管密钥的服务器端加密,以及其他加密功能)Encryption at rest (such as server-side encryption, server-side encryption with customer-managed keys, and other encryption features) Yes 所有 Cosmos 数据库和备份默认已加密。请参阅 Azure Cosmos DB 中的数据加密All Cosmos databases and backups are encrypted by default; see Data encryption in Azure Cosmos DB. 不支持使用客户管理的密钥进行服务器端加密。Server-side encryption with customer-managed keys is not supported.
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes 所有 Azure Cosmos DB 数据在传输中都会经过加密。All Azure Cosmos DB data is encrypted at transit.
加密密钥处理(CMK、BYOK 等)Encryption key handling (CMK, BYOK, etc.) No
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) Yes 只能在表 API 高级版中使用。Only in the Tables API Premium. 并非所有 API 都支持此功能。Not all APIs support this feature. 请参阅 Azure Cosmos DB 简介:表 APISee Introduction to Azure Cosmos DB: Table API.
加密的 API 调用API calls encrypted Yes 与 Azure Cosmos DB 建立的所有连接都支持 HTTPS。All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB 还支持 TLS 1.2 连接,但目前不强制要求支持。Azure Cosmos DB also supports TLS 1.2 connections, but this is not yet enforced. 如果客户在其一端禁用了较低级别的 TLS,则可以确保连接到 Cosmos DB。If customers turn off lower level TLS on their end, they can ensure to connect to Cosmos DB.

网络分段Network segmentation

安全属性Security attribute 是/否Yes/no 注释Notes
服务终结点支持Service endpoint support Yes
VNet 注入支持VNet injection support Yes 使用 VNet 服务终结点可将 Azure Cosmos DB 帐户配置为仅允许从虚拟网络 (VNet) 的特定子网进行访问。With VNet service endpoint, you can configure an Azure Cosmos DB account to allow access only from a specific subnet of a virtual network (VNet). 还可以将 VNet 访问与防火墙规则相结合。You can also combine VNet access with firewall rules. 请参阅从虚拟网络访问 Azure Cosmos DBSee Access Azure Cosmos DB from virtual networks.
网络隔离和防火墙支持Network Isolation and Firewalling support Yes 借助防火墙支持,可将 Azure Cosmos 帐户配置为仅允许从一组已批准的 IP 地址、某个 IP 地址范围和/或云服务进行访问。With firewall support, you can configure your Azure Cosmos account to allow access only from an approved set of IP addresses, a range of IP addresses and/or cloud services. 请参阅在 Azure Cosmos DB 中配置 IP 防火墙See Configure IP firewall in Azure Cosmos DB.
强制隧道支持Forced tunneling support Yes 可以在虚拟机所在的 VNet 中的客户端上配置。Can be configured at the client side on the VNet where the virtual machines are located.

检测Detection

安全属性Security attribute 是/否Yes/no 注释Notes
Azure 监视支持 (Log analytics)Azure monitoring support (Log analytics) Yes 发送到 Azure Cosmos DB 的所有请求将被记录。All requests that are sent to Azure Cosmos DB are logged. 支持 Azure 监视、Azure 指标和 Azure 审核日志记录。Azure Monitoring, Azure Metrics, Azure Audit Logging are supported. 可以记录对应于数据平面请求、查询运行时统计、查询文本和 MongoDB 请求的信息。You can log information corresponding to data plane requests, query runtime statistics, query text, MongoDB requests. 还可以设置警报。You can also setup alerts.

标识和访问管理Identity and access management

安全属性Security attribute 是/否Yes/no 注释Notes
身份验证Authentication Yes 在数据库帐户级别为“是”;在数据平面级别,Cosmos DB 将使用资源令牌和密钥访问。Yes at the Database Account Level; at the data plane level, Cosmos DB uses resource tokens and key access.
授权Authorization Yes 在使用主密钥(主要和辅助密钥)与资源令牌的 Azure Cosmos 帐户级别受支持。Supported at the Azure Cosmos account with Master keys (primary and secondary) and Resource tokens. 可以使用主密钥获取对数据的读/写或只读访问权限。You can get read/write or read only access to data with master keys. 使用资源令牌可以在有限的时间内访问文档和容器等资源。Resource tokens allow limited time access to resources such as documents and containers.

审核线索Audit trail

安全属性Security attribute 是/否Yes/no 注释Notes
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 帐户级操作(例如防火墙、VNet、密钥访问和 IAM)的 Azure 活动日志。Azure Activity log for account level operations such as Firewalls, VNets, Keys access, and IAM.
数据平面日志记录和审核Data plane logging and audit Yes 容器级操作(例如创建容器、预配吞吐量、为策略编制索引,以及对文档执行 CRUD 操作)的诊断监视日志记录。Diagnostics monitoring logging for container level operations such as create container, provision throughput, indexing policies, and CRUD operations on documents.

配置管理Configuration management

安全属性Security Attribute Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) No

Cosmos DB 的其他安全属性Additional security attributes for Cosmos DB

安全属性Security attribute 是/否Yes/no 注释Notes
跨域资源共享 (CORS)Cross Origin Resource Sharing (CORS) Yes 请参阅配置跨域资源共享 (CORS)See Configure Cross-Origin Resource Sharing (CORS).