Cosmos DB 的 Azure 安全基线Azure Security Baseline for Cosmos DB

Cosmos DB 的 Azure 安全基线包含可帮助你改善部署安全态势的建议。The Azure Security Baseline for Cosmos DB contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:可以通过为网络安全组 (NSG) 配置一组严格的出站规则并将该 NSG 与子网相关联,来降低数据外泄的风险。Guidance: You can reduce the risk of data exfiltration by configuring a strict set of outbound rules on a network security group (NSG) and associating that NSG with your subnet.

还可以使用服务终结点来保护 Azure Cosmos 帐户。You can also use Service Endpoints to secure your Azure Cosmos account. 通过启用服务终结点,可将 Azure Cosmos 帐户配置为仅允许从 Azure 虚拟网络的特定子网进行访问。By enabling a Service Endpoint, you can configure Azure Cosmos accounts to allow access from only a specific subnet of an Azure virtual network. 启用 Azure Cosmos DB 服务终结点后,便可以将对 Azure Cosmos 帐户的访问限制为只能通过来自虚拟网络中某个子网的连接进行。Once the Azure Cosmos DB Service Endpoint is enabled, you can limit access to an Azure Cosmos account with connections from a subnet in a virtual network.

还可以使用 IP 防火墙保护存储在 Azure Cosmos 帐户中的数据。You can also secure the data stored in your Azure Cosmos account by using IP firewalls. Azure Cosmos DB 支持使用基于 IP 的访问控制来提供入站防火墙支持。Azure Cosmos DB supports IP-based access controls for inbound firewall support. 可以使用 Azure 门户、Azure 资源管理器模板、Azure CLI 或 Azure PowerShell 在 Azure Cosmos 帐户上设置 IP 防火墙。You can set an IP firewall on the Azure Cosmos account by using the Azure portal, Azure Resource Manager templates, or through the Azure CLI or Azure PowerShell.

如何创建采用安全配置的网络安全组: https://docs.azure.cn/virtual-network/tutorial-filter-network-trafficHow to create a Network Security Group with a Security Config: https://docs.azure.cn/virtual-network/tutorial-filter-network-traffic

如何在 Cosmos DB 中配置 IP 防火墙: https://docs.azure.cn/cosmos-db/how-to-configure-firewallHow to configure IP firewall in Cosmos DB: https://docs.azure.cn/cosmos-db/how-to-configure-firewall

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:使用 Azure 安全中心并遵循网络保护建议来帮助保护与 Azure Cosmos 帐户相关的网络资源。Guidance: Use Azure Security Center and follow network protection recommendations to help secure network resources related to your Azure Cosmos account.

虚拟机部署到 Azure Cosmos 帐户所在的同一虚拟网络中后,可以使用网络安全组 (NSG) 来降低数据外泄的风险。When virtual machines are deployed in the same virtual network as your Azure Cosmos account, you can use a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到 Azure 存储帐户以进行流量审核。Enable NSG flow logs and send logs into an Azure Storage Account for traffic audits. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

了解 Azure 安全中心提供的网络安全性: https://docs.azure.cn/security-center/security-center-network-recommendationsUnderstand Network Security provided by Azure Security Center: https://docs.azure.cn/security-center/security-center-network-recommendations

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用和使用流量分析: https://docs.azure.cn/network-watcher/traffic-analyticsHow to Enable and use Traffic Analytics: https://docs.azure.cn/network-watcher/traffic-analytics

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:使用跨源资源共享 (CORS) 功能可使一个域中运行的 Web 应用程序能够访问另一个域中的资源。Guidance: Use the Cross-Origin Resource Sharing (CORS) feature to enable a web application running under one domain to access resources in another domain. Web 浏览器实施一种称为“同源策略”的安全限制,防止网页调用不同域中的 API。Web browsers implement a security restriction known as same-origin policy that prevents a web page from calling APIs in a different domain. 但是,CORS 提供了一种安全的方式,允许源域调用另一个域中的 API。However, CORS provides a secure way to allow the origin domain to call APIs in another domain. 为 Azure Cosmos 帐户启用 CORS 支持后,仅对经过身份验证的请求进行评估,以根据指定的规则确定是否允许这些请求。After you enable the CORS support for your Azure Cosmos account, only authenticated requests are evaluated to determine whether they are allowed according to the rules you have specified.

配置跨源资源共享: https://docs.azure.cn/cosmos-db/how-to-configure-cross-origin-resource-sharingConfigure Cross-Origin Resource Sharing: https://docs.azure.cn/cosmos-db/how-to-configure-cross-origin-resource-sharing

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:启用网络安全组 (NSG) 流日志,并将日志发送到存储帐户以进行流量审核。Guidance: Enable network security group (NSG) flow logs and send logs into a storage account for traffic audit. 可将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You can send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用和使用流量分析: https://docs.azure.cn/network-watcher/traffic-analyticsHow to Enable and use Traffic Analytics: https://docs.azure.cn/network-watcher/traffic-analytics

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:对于需要访问 Azure Cosmos 帐户的资源,请使用虚拟网络服务标记来定义网络安全组或 Azure 防火墙上的网络访问控制。Guidance: For resources that need access to your Azure Cosmos account, use Virtual Network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 AzureCosmosDB),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., AzureCosmosDB) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

有关使用服务标记的详细信息: https://docs.azure.cn/virtual-network/service-tags-overviewFor more information about using service tags: https://docs.azure.cn/virtual-network/service-tags-overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 Azure Cosmos DB 部署关联的网络资源使用标记,以便按逻辑将这些资源组织到分类中。Guidance: Use tags for network resources associated with your Azure Cosmos DB deployment in order to logically organize them into a taxonomy.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Cosmos DB 实例相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Cosmos DB instances. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

如何查看和检索 Azure 活动日志事件: https://docs.azure.cn/azure-monitor/platform/activity-log-viewHow to view and retrieve Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/activity-log-view

如何在 Azure Monitor 中创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts in Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Azure 会为日志中的时间戳维护用于 Azure Cosmos DB 等 Azure 资源的时间源。Guidance: Azure maintains the time source used for Azure resources such as Azure Cosmos DB for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:为 Azure Cosmos DB 启用诊断设置,并将日志发送到 Log Analytics 工作区或存储帐户。Guidance: Enable diagnostic settings for Azure Cosmos DB and send the logs to a Log Analytics workspace or storage account. Azure Cosmos DB 中的诊断设置用于收集资源日志。Diagnostic settings in Azure Cosmos DB are used to collect resource logs. 这些日志是按请求捕获的,也称为“数据平面日志”。These logs are captured per request and they are also referred to as "data plane logs". 数据平面操作的一些示例包括删除、插入和读取。Some examples of the data plane operations include delete, insert, and read. 还可以启用 Azure 活动日志诊断设置,并将日志发送到相同的 Log Analytics 工作区。You may also enable Azure Activity Log Diagnostic Settings and send them to the same Log Analytics Workspace.

如何启用 Azure Cosmos DB 的诊断设置: https://docs.azure.cn/cosmos-db/loggingHow to enable Diagnostic Settings for Azure Cosmos DB: https://docs.azure.cn/cosmos-db/logging

如何启用 Azure 活动日志的诊断设置: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacyHow to enable Diagnostic Settings for Azure Activity Log: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacy

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,根据组织的合规性规章,为与 Azure Cosmos DB 实例关联的 Log Analytics 工作区设置日志保留期。Guidance: In Azure Monitor, set the log retention period for Log Analytics workspaces associated with your Azure Cosmos DB instances according to your organization's compliance regulations.

如何设置日志保留参数: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-periodHow to set log retention parameters: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:可以在 Log Analytics 工作区中执行查询,以搜索字词、识别趋势、分析模式,并根据收集的 Azure Cosmos DB 日志提供其他许多见解。Guidance: You can perform queries in Log Analytics a workspace to search terms, identify trends, analyze patterns, and provide many other insights based on the Azure Cosmos DB logs that you gathered.

如何在 Log Analytics 工作区中对 Azure Cosmos DB 执行查询: https://docs.azure.cn/cosmos-db/monitor-cosmos-dbHow to perform queries for Azure Cosmos DB in Log Analytics Workspaces: https://docs.azure.cn/cosmos-db/monitor-cosmos-db

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

使用 Azure Monitor 创建、查看和管理日志警报: https://docs.azure.cn/azure-monitor/platform/alerts-logCreate, view, and manage log alerts using Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-log

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;Azure Cosmos DB 不会处理或生成与反恶意软件相关的日志。Guidance: Not applicable; Azure Cosmos DB does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;Azure Cosmos DB 不会处理或生成与 DNS 相关的日志。Guidance: Not applicable; Azure Cosmos DB does not process or produce DNS-related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:可以使用 Azure 门户中的“标识和访问控制(IAM)”窗格配置基于角色的访问控制 (RBAC),并维护有关 Azure Cosmos DB 资源的库存。Guidance: You can use the Identity and Access control (IAM) pane in the Azure portal to configure role-based access control (RBAC) and maintain inventory on Azure Cosmos DB resources. 角色将应用到 Active Directory 中的用户、组、服务主体和托管标识。The roles are applied to users, groups, service principals, and managed identities in Active Directory. 对于个人和组,可使用内置角色或自定义角色。You can use built-in roles or custom roles for individuals and groups.

Azure Cosmos DB 为 Azure Cosmos DB 中的常见管理方案提供内置的 RBAC。Azure Cosmos DB provides built-in RBAC for common management scenarios in Azure Cosmos DB. 在 Azure Active Directory (AD) 中创建了配置文件的个人可将这些 RBAC 角色分配给用户、组、服务主体或托管标识,以授予或拒绝对 Azure Cosmos DB 中的资源和操作的访问权限。An individual who has a profile in Azure Active Directory (AD) can assign these RBAC roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources.

还可以使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。You can also use the Azure AD PowerShell module to perform adhoc queries to discover accounts that are members of administrative groups.

此外,可以使用 Azure Active Directory 和帐户特定的主密钥来控制 Azure Cosmos DB 中的某些操作。Additionally, some actions in Azure Cosmos DB can be controlled with Azure Active Directory and account-specific master keys. 使用“disableKeyBasedMetadataWriteAccess”帐户设置控制密钥访问。Use the 'disableKeyBasedMetadataWriteAccess' account setting to control key access.

了解 Azure Cosmos DB 中基于角色的访问控制: https://docs.azure.cn/cosmos-db/role-based-access-controlUnderstand role-based access control in Azure Cosmos DB: https://docs.azure.cn/cosmos-db/role-based-access-control

使用 Azure Cosmos DB 操作(Microsoft DocumentDB 命名空间)生成自己的自定义角色: https://docs.azure.cn/role-based-access-control/resource-provider-operations#microsoftdocumentdbBuild your own custom roles using Azure Cosmos DB Actions (Microsoft.DocumentDB namespace): https://docs.azure.cn/role-based-access-control/resource-provider-operations#microsoftdocumentdb

在 Azure Active Directory 中创建新角色: https://docs.azure.cn/role-based-access-control/custom-rolesCreate a new role in Azure Active Directory: https://docs.azure.cn/role-based-access-control/custom-roles

如何使用 PowerShell 获取 Azure Active Directory 中的目录角色: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0How to get a directory role in Azure Active Directory with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

如何使用 PowerShell 获取 Azure Active Directory 中目录角色的成员: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0How to get members of a directory role in Azure Active Directory with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0

将用户访问权限仅限于数据操作: https://docs.azure.cn/cosmos-db/how-to-restrict-user-dataRestrict user access to data operations only: https://docs.azure.cn/cosmos-db/how-to-restrict-user-data

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:不存在与 Azure AD 或 Azure Cosmos DB 相关的默认密码或空白密码的概念。Guidance: The concept of default or blank passwords does not exist in relation to Azure AD or Azure Cosmos DB. Azure Cosmos DB 使用两种类型的密钥来验证用户身份并提供其数据和资源的访问权限:主密钥和资源令牌。Instead, Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources; master keys and resource tokens. 随时可以重新生成这些密钥。The keys can be regenerated at any time.

了解如何保护对 Azure Cosmos DB 中数据的访问: https://docs.azure.cn/cosmos-db/secure-access-to-dataUnderstanding secure access to data in Azure Cosmos DB: https://docs.azure.cn/cosmos-db/secure-access-to-data

如何重新生成 Azure Cosmos DB 密钥: https://docs.azure.cn/cosmos-db/manage-with-powershell#regenerate-keysHow to regenerate Azure Cosmos DB Keys: https://docs.azure.cn/cosmos-db/manage-with-powershell#regenerate-keys

如何使用 Azure Active Directory 以编程方式访问密钥: https://docs.azure.cn/cosmos-db/certificate-based-authenticationHow to programmatically access keys using Azure Active Directory: https://docs.azure.cn/cosmos-db/certificate-based-authentication

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:不适用;Azure Cosmos DB 不支持管理员帐户。Guidance: Not applicable; Azure Cosmos DB does not support administrator accounts. 所有访问都与 Azure Active Directory 和 Azure 基于角色的访问控制 (Azure RBAC) 相集成。All access is integrated with Azure Active Directory and Azure role-based access control (Azure RBAC).

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory 多重身份验证,并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory Multi-Factor Authentication and follow Azure Security Center Identity and Access Management recommendations.

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor identity and access within Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证的特权访问工作站 (PAW) 来登录并配置 Azure 资源。Guidance: Use Privileged Access Workstations (PAW) with Multi-Factor Authentication configured to log into and configure Azure resources.

了解特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsLearn about Privileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:使用适用于 Azure Cosmos DB 的高级威胁防护 (ATP)。Guidance: Use Advanced Threat Protection (ATP) for Azure Cosmos DB. 适用于 Azure Cosmos DB 的 ATP 提供一个附加的安全智能层,用于检测是否有人试图以异常且可能有害的方式访问或恶意利用 Azure Cosmos。ATP for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos accounts. 使用此保护层可以应对威胁并将其与中心安全监视系统相集成。This layer of protection allows you to address threats and integrate them with central security monitoring systems.

此外,当环境中出现可疑或不安全的活动时,可以使用 Azure Active Directory (AD) Privileged Identity Management (PIM) 生成日志和警报。In addition, you may use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

使用 Azure AD 风险检测查看有关风险用户行为的警报和报告。Use Azure AD Risk Detections to view alerts and reports on risky user behavior.

如何部署 Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-planHow to deploy Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-plan

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南:Azure Active Directory 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory provides logs to help discover stale accounts. 此外,可以使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, you can use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right Users have continued access.

如何使用 Azure 标识访问评审: https://docs.azure.cn/active-directory/governance/access-reviews-overviewHow to use Azure Identity Access Reviews: https://docs.azure.cn/active-directory/governance/access-reviews-overview

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪用于存储或处理敏感信息的 Azure Cosmos DB 实例。Guidance: Use tags to assist in tracking Azure Cosmos DB instances that store or process sensitive information.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实施单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. Azure Cosmos DB 实例按虚拟网络/子网进行分隔,进行了相应的标记,并在网络安全组 (NSG) 或 Azure 防火墙中受到保护。Azure Cosmos DB instances are separated by virtual network/subnet, tagged appropriately, and secured within a network security group (NSG) or Azure Firewall. 应该隔离存储敏感数据的 Azure Cosmos DB 实例。Azure Cosmos DB instances storing sensitive data should be isolated. 使用 Azure 专用链接可以通过专用终结点连接到 Azure Cosmos DB 实例帐户。By using Azure Private Link, you can connect to an Azure Cosmos DB instance account via a private endpoint. 专用终结点是虚拟网络中某个子网内的一组专用 IP 地址。The private endpoint is a set of private IP addresses in a subnet within your virtual network. 然后,可以将访问限制为只能从选定的专用 IP 地址进行。You can then limit access to the selected private IP addresses.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create management groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

如何创建采用安全配置的网络安全组: https://docs.azure.cn/virtual-network/tutorial-filter-network-trafficHow to create a Network Security Group with a Security Config: https://docs.azure.cn/virtual-network/tutorial-filter-network-traffic

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:与 Azure Cosmos DB 建立的所有连接都支持 HTTPS。Guidance: All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB 还支持 TLS1.2。Azure Cosmos DB also supports TLS1.2. 可以在服务器端强制实施最低 TLS 版本。It is possible to enforce a minimum TLS version server-side. 为此,请联系 azurecosmosdbtls@service.microsoft.comTo do so, please contact azurecosmosdbtls@service.microsoft.com.

Cosmos DB 安全性概述: https://docs.azure.cn/cosmos-db/database-securityOverview of Cosmos DB Security: https://docs.azure.cn/cosmos-db/database-security

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:自动数据标识、分类和丢失防护功能尚不适用于 Azure Cosmos DB。Guidance: Automatic data identification, classification, and loss prevention features are not yet available for Azure Cosmos DB. 但是,可以使用 Azure 认知搜索集成进行分类和数据分析。However, you can use the Azure Cognitive Search integration for classification and data analysis. 还可以实施第三方解决方案(如果出于合规性目的而需要如此)。You can also implement a third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

使用 Azure 认知搜索为 Azure Cosmos DB 数据编制索引: https://docs.azure.cn/search/search-howto-index-cosmosdb?toc=/cosmos-db/toc.json&bc=/cosmos-db/breadcrumb/toc.jsonIndex Azure Cosmos DB data with Azure Cognitive Search: https://docs.azure.cn/search/search-howto-index-cosmosdb?toc=/cosmos-db/toc.json&bc=/cosmos-db/breadcrumb/toc.json

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:Azure Cosmos DB 为 Azure Cosmos DB 中的常见管理方案提供内置的基于角色的访问控制 (RBAC)。Guidance: Azure Cosmos DB provides built-in role-based access control (RBAC) for common management scenarios in Azure Cosmos DB. 在 Azure Active Directory 中创建了配置文件的个人可将这些 RBAC 角色分配给用户、组、服务主体或托管标识,以授予或拒绝对 Azure Cosmos DB 中的资源和操作的访问权限。An individual who has a profile in Azure Active Directory can assign these RBAC roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources. 角色分配范围仅限控制平面访问,包括对 Azure Cosmos 帐户、数据库、容器和套餐(吞吐量)的访问。Role assignments are scoped to control-plane access only, which includes access to Azure Cosmos accounts, databases, containers, and offers (throughput).

如何在 Azure Cosmos DB 中实施 RBAC: https://docs.azure.cn/cosmos-db/role-based-access-controlHow to implement RBAC in Azure Cosmos DB: https://docs.azure.cn/cosmos-db/role-based-access-control

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 管理 Cosmos DB 的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for Cosmos DB and has implemented strict controls to prevent the loss or exposure of customer data.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:默认情况下,存储在 Cosmos DB 中的所有用户数据已经过静态加密。Guidance: All user data stored in Cosmos DB is encrypted at rest by default. 没有任何控件可以关闭静态加密。There are no controls to turn it off. Azure Cosmos DB 在运行帐户的所有区域中使用 AES-256 加密。Azure Cosmos DB uses AES-256 encryption on all regions where the account is running.

默认情况下,Azure 会管理用于加密 Azure Cosmos 帐户中的数据的密钥。By default, Azure manages the keys that are used to encrypt the data in your Azure Cosmos account. 你可以根据需要使用自己的密钥来添加另一个加密层。You can optionally choose to add a second layer of encryption with your own keys.

了解 Azure Cosmos DB 的静态加密: https://docs.azure.cn/cosmos-db/database-encryption-at-restUnderstanding encryption at rest with Azure Cosmos DB: https://docs.azure.cn/cosmos-db/database-encryption-at-rest

了解 Azure Cosmos DB 静态加密的密钥管理: https://docs.azure.cn/cosmos-db/cosmos-db-security-controlsUnderstanding key management for encryption at rest with Azure Cosmos DB: https://docs.azure.cn/cosmos-db/cosmos-db-security-controls

如何为 Azure Cosmos DB 帐户配置客户管理的密钥: https://docs.azure.cn/cosmos-db/how-to-setup-cmkHow to configure customer-managed keys for your Azure Cosmos DB account: https://docs.azure.cn/cosmos-db/how-to-setup-cmk

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,可以创建要在 Azure Cosmos DB 生产实例发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Azure Cosmos DB.

如何针对 Azure 活动日志事件创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts for Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

如何针对 Azure 活动日志事件创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts for Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:请遵循 Azure 安全中心针对 Azure Cosmos DB 实例提供的建议。Guidance: Follow recommendations from Azure Security Center for your Azure Cosmos DB instances.

Azure 在支持 Azure Cosmos DB 实例的底层主机上执行系统修补和漏洞管理。Azure performs system patching and vulnerability management on the underlying hosts that support your Azure Cosmos DB instances. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心提供的支持功能: https://docs.azure.cn/security-center/security-center-services?tabs=features-windowsSupported features available in Azure Security Center: https://docs.azure.cn/security-center/security-center-services?tabs=features-windows

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure 门户或 Azure Resource Graph 发现订阅中的所有资源(不局限于 Azure Cosmos DB,同时还包括计算、其他存储、网络、端口和协议等资源)。Guidance: Use the Azure portal or Azure Resource Graph to discover all resources (not limited to Azure Cosmos DB, but also including resources such as compute, other storage, network, ports, and protocols etc.) within your subscription(s). 确保你在租户中拥有适当的权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0How to view your Azure Subscriptions: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

了解 Azure 基于角色的访问控制: https://docs.azure.cn/role-based-access-control/overviewUnderstanding Azure role-based access control: https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到提供元数据的 Azure Cosmos DB 实例和相关资源,以便按逻辑将其组织到分类中。Guidance: Apply tags to your Azure Cosmos DB instances and related resources with metadata to logically organize them into a taxonomy.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

哪些 Azure Cosmos DB 资源支持标记: https://docs.azure.cn/azure-resource-manager/management/tag-support#microsoftdocumentdbWhich Azure Cosmos DB resources support tags: https://docs.azure.cn/azure-resource-manager/management/tag-support#microsoftdocumentdb

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,使用标记、管理组与单独的订阅来组织和跟踪资产(包括但不限于 Azure Cosmos DB 资源)。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets, including but not limited to Azure Cosmos DB resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指导:不适用;此项指导适用于计算资源和 Azure(作为一个整体)。Guidance: Not applicable; this guideline is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s).

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:不适用;此项基线适用于计算资源。Guidance: Not applicable; this baseline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:不适用;此项指导适用于计算资源和 Azure(作为一个整体)。Guidance: Not applicable; this guideline is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Policy 拒绝特定的资源类型: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesHow to deny a specific resource type with Azure Policy: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户通过脚本与 Azure 资源管理器进行交互的功能6.11: Limit users' ability to interact with AzureResources Manager via scripts

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App. 这可防止在高度安全的环境中创建和更改资源。This can prevent the creation and changes to resources within a high security environment.

如何配置条件访问以阻止访问 Azure 资源管理器: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementHow to configure Conditional Access to block access to Azure Resource Manager: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此项指导适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this guideline is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 为 Cosmos DB 实例定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your Cosmos DB instances with Azure Policy. 在“Microsoft.DocumentDB”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Cosmos DB 实例的配置。Use Azure Policy aliases in the "Microsoft.DocumentDB" namespace to create custom policies to audit or enforce the configuration of your Cosmos DB instances. 还可以为 Azure Cosmos DB 利用内置策略定义,例如:You may also make use of built-in policy definitions for Azure Cosmos DB, such as:

  • 为 Cosmos DB 帐户部署高级威胁防护Deploy Advanced Threat Protection for Cosmos DB Accounts

  • Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint

如何查看可用的 Azure Policy 别名: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0How to view available Azure Policy aliases: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy [拒绝] 和 [不存在时部署] 在 Azure 资源中强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

了解 Azure Policy 效果: https://docs.azure.cn/governance/policy/concepts/effectsUnderstand Azure Policy Effects: https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:在“Microsoft.DocumentDB”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DocumentDB" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:在“Microsoft.DocumentDB”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DocumentDB" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy [审核]、[拒绝] 和 [不存在时部署] 为 Azure Cosmos DB 实例和相关资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Cosmos DB instances and related resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描程序: https://secdevtools.azurewebsites.net/helpcredscan.htmlHow to set up Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources. 在支持 Azure 服务(例如 Azure 应用服务)的底层主机上已启用 Azure 反恶意软件,但是,该软件不会针对客户内容运行。Azure Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务(例如 Azure 应用服务)的底层主机上已启用 Azure 反恶意软件,但是,该软件不会针对客户内容运行。Guidance: Azure Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on customer content.

你需负责预先扫描要上传到非计算 Azure 资源(包括 Azure Cosmos DB)的任何文件。It is your responsibility to pre-scan any files being uploaded to non-compute Azure resources, including Azure Cosmos DB. Azure 无法访问客户数据,因此无法代表你对客户内容执行反恶意软件扫描。Azure cannot access customer data, and therefore cannot conduct anti-malware scans of customer content on your behalf.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指导:不适用;基准适用于计算资源。Guidance: Not applicable; benchmark is intended for compute resources. 在支持 Azure 服务的底层主机上已启用 Azure 反恶意软件,但是,该软件不会针对客户内容运行。Azure Antimalware is enabled on the underlying host that supports Azure services, however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:Azure Cosmos DB 每四个小时拍摄一次数据快照。Guidance: Azure Cosmos DB takes snapshots of your data every four hours. 所有备份单独存储在一个存储服务中并进行多区域复制,以便针对区域性灾难进行复原。All the backups are stored separately in a storage service, and those backups are multiple-regionally replicated for resiliency against regional disasters. 在任何给定时间,只保留最后两个快照。At any given time, only the last two snapshots are retained. 不过,如果删除了容器或数据库,Azure Cosmos DB 会将给定容器或数据库中的现有快照保留 30 天。However, if the container or database is deleted, Azure Cosmos DB retains the existing snapshots of a given container or database for 30 days. 若要从备份还原,请与 Azure 支持部门联系。Contact Azure Support to restore from a backup.

了解 Azure Cosmos DB 自动备份: https://docs.azure.cn/cosmos-db/online-backup-and-restoreUnderstanding Azure Cosmos DB Automated Backups: https://docs.azure.cn/cosmos-db/online-backup-and-restore

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

指导:Azure Cosmos DB 会定期自动备份数据。Guidance: Azure Cosmos DB automatically takes backups of your data at regular intervals. 如果删除了数据库或容器,可以提交支持票证或联系 Azure 支持部门,以便从自动联机备份中还原数据。If database or container is deleted, you can file a support ticket or call Azure support to restore the data from automatic online backups. Azure 支持仅适用于选定的计划,例如“标准”、“开发人员”以及更高级别的计划。Azure support is available for selected plans only such as Standard, Developer, and plans higher than them. 若要还原备份的特定快照,Azure Cosmos DB 要求在该快照的备份周期的持续时间内可用。To restore a specific snapshot of the backup, Azure Cosmos DB requires that the data is available for the duration of the backup cycle for that snapshot.

如果使用 Key Vault 来存储 Cosmos DB 实例的凭据,请确保定期自动备份密钥。If using Key Vault to store credentials for your Cosmos DB instances, ensure regular automated backups of your keys.

了解 Azure Cosmos DB 自动备份: https://docs.azure.cn/cosmos-db/online-backup-and-restoreUnderstand Azure Cosmos DB Automated Backups: https://docs.azure.cn/cosmos-db/online-backup-and-restore

如何还原 Azure Cosmos DB 中的数据: https://docs.azure.cn/cosmos-db/how-to-backup-and-restoreHow to restore data in Azure Cosmos DB: https://docs.azure.cn/cosmos-db/how-to-backup-and-restore

如何备份 Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkeyHow to backup Key Vault Keys: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:如果删除了数据库或容器,可以提交支持票证或联系 Azure 支持部门,以便从自动联机备份中还原数据。Guidance: If database or container is deleted, you can file a support ticket or call Azure support to restore the data from automatic online backups. Azure 支持仅适用于选定的计划,例如“标准”、“开发人员”以及更高级别的计划。Azure support is available for selected plans only such as Standard, Developer, and plans higher than them. 若要还原备份的特定快照,Azure Cosmos DB 要求在该快照的备份周期的持续时间内可用。To restore a specific snapshot of the backup, Azure Cosmos DB requires that the data is available for the duration of the backup cycle for that snapshot.

使用 PowerShell 测试 Azure Key Vault 中存储的机密的还原。Test restoration of your secrets stored in Azure Key Vault using PowerShell. Restore-AzureKeyVaultKey cmdlet 会在指定的密钥保管库中创建密钥。The Restore-AzureKeyVaultKey cmdlet creates a key in the specified key vault. 此密钥是输入文件中已备份密钥的副本,其名称与原始密钥相同。This key is a replica of the backed-up key in the input file and has the same name as the original key.

了解 Azure Cosmos DB 自动备份:Understand Azure Cosmos DB Automated Backups:

https://docs.azure.cn/cosmos-db/online-backup-and-restore

如何还原 Azure Cosmos DB 中的数据:How to restore data in Azure Cosmos DB:

https://docs.azure.cn/cosmos-db/how-to-backup-and-restore

如何还原 Azure Key Vault 机密:How to restore Azure Key Vault Secrets:

https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:由于 Cosmos DB 中存储的所有用户数据都会进行静态加密和传输中加密,因此你无需采取任何措施。Guidance: Because all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action. 实现这一理念的另一方式是默认“开启”静态加密。Another way to put this is that encryption at rest is "on" by default. 没有任何控件可以关闭或打开它。There are no controls to turn it off or on. Azure Cosmos DB 在运行帐户的所有区域中使用 AES-256 加密。Azure Cosmos DB uses AES-256 encryption on all regions where the account is running.

在 Key Vault 中启用“软删除”,以防止意外删除或恶意删除密钥。Enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.

了解 Azure Cosmos DB 中的数据加密: https://docs.azure.cn/cosmos-db/database-encryption-at-restUnderstand data encryption in Azure Cosmos DB: https://docs.azure.cn/cosmos-db/database-encryption-at-rest

如何在 Key Vault 中启用“软删除”: https://docs.azure.cn/storage/blobs/storage-blob-soft-delete?tabs=azure-portalHow to enable Soft-Delete in Key Vault: https://docs.azure.cn/storage/blobs/storage-blob-soft-delete?tabs=azure-portal

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

你还可以利用 NIST 的计算机安全事件处理指南来帮助创建自己的事件响应计划: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfYou may also leverage NIST's Computer Security Incident Handling Guide to aid in the creation of your own incident response plan: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

如何在 Azure 安全中心内配置工作流自动化: https://docs.azure.cn/security-center/security-center-planning-and-operations-guideHow to configure Workflow Automations within Azure Security Center: https://docs.azure.cn/security-center/security-center-planning-and-operations-guide

有关生成自己的安全事件响应过程的指南: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/Guidance on building your own security incident response process: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

Azure 安全响应中心事件剖析: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/Azure Security Response Center's Anatomy of an Incident: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及有关导致发出警报的活动存在恶意企图的置信度。The severity is based on how confident the Security Center is in finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

请参阅 NIST 的刊物:Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities(IT 规划和功能的测试、培训与演练计划指南): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdfRefer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Azure 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Azure Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

如何设置 Azure 安全中心安全联系人: https://docs.azure.cn/security-center/security-center-provide-security-contact-detailsHow to set the Azure Security Center Security Contact: https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:遵循 Azure 互动规则,确保你的渗透测试不违反 Azure 政策: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance: Follow the Azure Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

在以下网页中可以找到有关 Azure 红队演练策略和执行的详细信息,以及有关针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试的详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps