Azure Cosmos DB 的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Cosmos DB

适用于: SQL API Cassandra API Gremlin API 表 API Azure Cosmos DB API for MongoDB

此页是 Azure Cosmos DB 的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Cosmos DB. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Cosmos DBAzure Cosmos DB

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Azure Cosmos DB 帐户应有防火墙规则Azure Cosmos DB accounts should have firewall rules 应在 Azure Cosmos DB 帐户上定义防火墙规则,以防止来自未经授权的源的流量。Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. 至少定义了一个 IP 规则且启用了虚拟网络筛选器的帐户才会被视为合规。Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. 禁用公共访问的帐户也被视为合规。Accounts disabling public access are also deemed compliant. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
Azure Cosmos DB 帐户应使用客户管理的密钥来加密静态数据Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 使用客户管理的密钥来管理 Azure Cosmos DB 的静态加密。Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. 默认情况下,使用服务管理的密钥对数据进行静态加密,但为了满足法规合规性标准,通常需要使用客户管理的密钥。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/cosmosdb-cmkLearn more at https://aka.ms/cosmosdb-cmk. 审核、拒绝、已禁用audit, deny, disabled 1.0.21.0.2
Azure Cosmos DB 允许的位置Azure Cosmos DB allowed locations 使用此策略可限制组织在部署 Azure Cosmos DB 资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. [parameters('policyEffect')][parameters('policyEffect')] 1.0.01.0.0
应禁用基于 Azure Cosmos DB 密钥的元数据写权限Azure Cosmos DB key based metadata write access should be disabled 借助此策略,可以确保所有 Azure Cosmos DB 帐户都禁用基于密钥的元数据写权限。This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. appendappend 1.0.01.0.0
应限制 Azure Cosmos DB 吞吐量Azure Cosmos DB throughput should be limited 借助此策略,可以限制组织在通过资源提供程序创建 Azure Cosmos DB 数据库和容器时可以指定的最大吞吐量。This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. 它会阻止创建自动缩放资源。It blocks the creation of autoscale resources. 审核、拒绝、已禁用audit, deny, disabled 1.0.01.0.0
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0

后续步骤Next steps