Azure Cosmos DB 的安全控制Security controls for Azure Cosmos DB

本文介绍 Azure Cosmos DB 中内置的安全控制。This article documents the security controls built into Azure Cosmos DB.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.


安全控制Security control 是/否Yes/no 注释Notes
服务终结点支持Service endpoint support Yes
VNet 注入支持VNet injection support Yes 使用 VNet 服务终结点可将 Azure Cosmos DB 帐户配置为仅允许从虚拟网络 (VNet) 的特定子网进行访问。With VNet service endpoint, you can configure an Azure Cosmos DB account to allow access only from a specific subnet of a virtual network (VNet). 还可以将 VNet 访问与防火墙规则相结合。You can also combine VNet access with firewall rules. 若要了解详细信息,请参阅从虚拟网络访问 Azure Cosmos DBTo learn more, see Access Azure Cosmos DB from virtual networks.
网络隔离和防火墙支持Network Isolation and Firewall support Yes 借助防火墙支持,可将 Azure Cosmos 帐户配置为仅允许从一组已批准的 IP 地址、某个 IP 地址范围和/或云服务进行访问。With firewall support, you can configure your Azure Cosmos account to allow access only from an approved set of IP addresses, a range of IP addresses and/or cloud services. 若要了解详细信息,请参阅在 Azure Cosmos DB 中配置 IP 防火墙To learn more, see Configure IP firewall in Azure Cosmos DB.
强制隧道支持Forced tunneling support Yes 可以在虚拟机所在的 VNet 中的客户端上配置。Can be configured at the client side on the VNet where the virtual machines are located.

监视和日志记录Monitoring & logging

安全控制Security control 是/否Yes/no 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 发送到 Azure Cosmos DB 的所有请求将被记录。All requests that are sent to Azure Cosmos DB are logged. 支持 Azure 监视、Azure 指标和 Azure 审核日志记录。Azure Monitoring, Azure Metrics, Azure Audit Logging are supported. 可以记录对应于数据平面请求、查询运行时统计、查询文本和 MongoDB 请求的信息。You can log information corresponding to data plane requests, query runtime statistics, query text, MongoDB requests. 还可以设置警报。You can also set up alerts.
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 帐户级操作(例如防火墙、VNet、密钥访问和 IAM)的 Azure 活动日志。Azure Activity log for account level operations such as Firewalls, VNets, Keys access, and IAM.
数据平面日志记录和审核Data plane logging and audit Yes 容器级操作(例如创建容器、预配吞吐量、为策略编制索引,以及对文档执行 CRUD 操作)的诊断监视日志记录。Diagnostics monitoring logging for container level operations such as create container, provision throughput, indexing policies, and CRUD operations on documents.


安全控制Security control 是/否Yes/no 注释Notes
身份验证Authentication Yes 在数据库帐户级别为“是”;在数据平面级别,Cosmos DB 将使用资源令牌和密钥访问。Yes at the Database Account Level; at the data plane level, Cosmos DB uses resource tokens and key access.
授权Authorization Yes 在使用主密钥(主要和辅助密钥)与资源令牌的 Azure Cosmos 帐户级别受支持。Supported at the Azure Cosmos account with Master keys (primary and secondary) and Resource tokens. 可以使用主密钥获取对数据的读/写或只读访问权限。You can get read/write or read only access to data with master keys. 使用资源令牌可以在有限的时间内访问文档和容器等资源。Resource tokens allow limited time access to resources such as documents and containers.

数据保护Data protection

安全控制Security control 是/否Yes/no 注释Notes
服务器端静态加密:Azure 托管的密钥Server-side encryption at rest: Azure-managed keys Yes 所有 Azure Cosmos 数据库和备份默认已加密;请参阅 Azure Cosmos DB 中的数据加密All Azure Cosmos databases and backups are encrypted by default; see Data encryption in Azure Cosmos DB.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) Yes 请参阅为 Azure Cosmos DB 帐户配置客户托管密钥See Configure customer-managed keys for your Azure Cosmos DB account
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) Yes 只能在表 API 高级版中使用。Only in the Tables API Premium. 并非所有 API 都支持此功能。Not all APIs support this feature. 请参阅 Azure Cosmos DB 简介:表 APISee Introduction to Azure Cosmos DB: Table API.
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes 所有 Azure Cosmos DB 数据在传输中都会经过加密。All Azure Cosmos DB data is encrypted at transit.
加密的 API 调用API calls encrypted Yes 与 Azure Cosmos DB 建立的所有连接都支持 HTTPS。All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB 还支持 TLS 1.2。Azure Cosmos DB also supports TLS 1.2.
可以在服务器端强制实施最低 TLS 版本。It is possible to enforce a minimum TLS version server-side. 为此,请联系 do so, please contact

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) No

Cosmos DB 的其他安全控制Additional security controls for Cosmos DB

安全控制Security control 是/否Yes/no 注释Notes
跨域资源共享 (CORS)Cross Origin Resource Sharing (CORS) Yes 请参阅配置跨域资源共享 (CORS)See Configure Cross-Origin Resource Sharing (CORS).