Azure Cosmos DB 的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Cosmos DB

适用于: SQL API Cassandra API Gremlin API 表 API Azure Cosmos DB API for MongoDB

此页是 Azure Cosmos DB 的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Cosmos DB. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Cosmos DBAzure Cosmos DB

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Azure Cosmos DB 帐户应使用客户托管密钥来加密静态数据Azure Cosmos DB account should use customer-managed keys to encrypt data at rest 根据相关的法规或合规性要求,请使用客户托管密钥来控制对 Azure Cosmos DB 中存储的数据的静态加密。Use customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. 客户托管密钥还提供双重加密,方法是在使用服务托管密钥完成的默认加密层上添加另一层加密。Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. 请参阅 https://aka.ms/cosmosdb-cmkSee https://aka.ms/cosmosdb-cmk 审核、拒绝、已禁用audit, deny, disabled 1.0.01.0.0
Azure Cosmos DB 帐户应有防火墙规则Azure Cosmos DB accounts should have firewall rules 审核或拒绝未配置任何 IP 规则且默认允许所有网络的资源。Audit or deny resources that do not have any IP rules configured and allow all networks by default. 至少定义了一个 IP 规则且启用了虚拟网络筛选器的帐户才会被视为合规。Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. 禁用公共访问的帐户也被视为合规。Accounts disabling public access are also deemed compliant. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
Azure Cosmos DB 允许的位置Azure Cosmos DB allowed locations 使用此策略可限制组织在部署 Azure Cosmos DB 资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. [parameters('policyEffect')][parameters('policyEffect')] 1.0.01.0.0
应禁用基于 Azure Cosmos DB 密钥的元数据写权限Azure Cosmos DB key based metadata write access should be disabled 借助此策略,可以确保所有 Azure Cosmos DB 帐户都禁用基于密钥的元数据写权限。This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. appendappend 1.0.01.0.0
应限制 Azure Cosmos DB 吞吐量Azure Cosmos DB throughput should be limited 借助此策略,可以限制组织在通过资源提供程序创建 Azure Cosmos DB 数据库和容器时可以指定的最大吞吐量。This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. 它会阻止创建自动缩放资源。It blocks the creation of autoscale resources. 审核、拒绝、已禁用audit, deny, disabled 1.0.01.0.0
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0

后续步骤Next steps