Azure 数据资源管理器中的安全性Security in Azure Data Explorer

本文介绍 Azure 数据资源管理器中的安全性,以帮助你保护云中的数据和资源,并满足企业的安全需求。This article provides an introduction to security in Azure Data Explorer to help you protect your data and resources in the cloud and meet the security needs of your business. 确保群集安全非常重要。It's important to keep your clusters secure. 可通过一项或多项 Azure 功能来保护群集,包括安全访问和存储。Securing your clusters includes one or more Azure features that include secure access and storage. 本文提供的信息可帮助你确保群集安全。This article provides information to help you keep your cluster secure.

标识和访问控制Identity and access control

基于角色的访问控制Role-based access control

使用基于角色的访问控制 (RBAC) 可以分离职责,并只向群集用户授予所需的访问权限。Use role-based access control (RBAC) to segregate duties and grant only the required access to cluster users. 可以仅允许分配给特定角色的用户执行某些操作,而不是为群集上的所有人提供不受限制的权限。Instead of giving everybody unrestricted permissions on the cluster, you can allow only users assigned to specific roles to perform certain actions. 可以使用 Azure 门户Azure CLIAzure PowerShell 针对数据库配置访问控制You can configure access control for the databases in the Azure portal, using the Azure CLI, or Azure PowerShell.

Azure 资源的托管标识Managed identities for Azure resources

构建云应用程序时面临的一个常见难题是,如何管理代码中用于云服务身份验证的凭据。A common challenge when building cloud applications is credentials management in your code for authenticating to cloud services. 保护这些凭据是一项重要任务。Keeping the credentials secure is an important task. 不应将这些凭据存储在开发人员工作站中,或将其签入源代码管理。The credentials shouldn't be stored in developer workstations or checked into source control. 虽然 Azure Key Vault 可用于安全存储凭据、机密以及其他密钥,但代码需要通过 Key Vault 的身份验证才能检索它们。Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.

Azure 资源的 Azure Active Directory (Azure AD) 托管标识功能可以解决此问题。The Azure Active Directory (Azure AD) managed identities for Azure resources feature solves this problem. 此功能为 Azure 服务提供了 Azure AD 中的自动托管标识。The feature provides Azure services with an automatically managed identity in Azure AD. 可以使用此标识向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. 有关此服务的详细信息,请参阅 Azure 资源的托管标识概述页。For more information about this service, see managed identities for Azure resources overview page.

数据保护Data protection

Azure 磁盘加密Azure disk encryption

Azure 磁盘加密有助于保护数据,使组织能够信守在安全性与合规性方面作出的承诺。Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. 它为群集虚拟机的 OS 和数据磁盘提供卷加密。It provides volume encryption for the OS and data disks of your cluster's virtual machines. Azure 磁盘加密还与 Azure Key Vault 集成,使我们可以控制和管理磁盘加密密钥和机密,并确保 VM 磁盘上的所有数据已加密。Azure Disk Encryption also integrates with Azure Key Vault, which allows us to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted.

客户管理的密钥和 Azure Key VaultCustomer-managed keys with Azure Key Vault

默认情况下,数据使用 Microsoft 管理的密钥进行加密。By default, data is encrypted with Microsoft-managed keys. 为了更进一步控制加密密钥,可以提供客户管理的密钥来用于对数据进行加密。For additional control over encryption keys, you can supply customer-managed keys to use for data encryption. 可以使用自己的密钥在存储级别管理数据的加密。You can manage encryption of your data at the storage level with your own keys. 使用客户管理的密钥来保护和控制对根加密密钥(用于加密和解密所有数据)的访问。A customer-managed key is used to protect and control access to the root encryption key, which is used to encrypt and decrypt all data. 客户管理的密钥在创建、轮换、禁用和撤销访问控制方面可提供更大的灵活性。Customer-managed keys offer greater flexibility to create, rotate, disable, and revoke access controls. 此外,你还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data.

使用 Azure Key Vault 来存储客户管理的密钥。Use Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. Azure 数据资源管理器群集和 Azure Key Vault 必须在同一个区域中,但可以在不同的订阅中。The Azure Data Explorer cluster and the Azure Key Vault must be in the same region, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?. 有关客户管理的密钥的详细说明,请参阅客户管理的密钥与 Azure Key VaultFor a detailed explanation on customer-managed keys, see Customer-managed keys with Azure Key Vault. 使用门户、C#、Azure 资源管理器模板、CLI 或 PowerShell 在 Azure 数据资源管理器群集中配置客户管理的密钥Configure customer-managed keys in your Azure Data Explorer cluster using the Portal, C#, Azure Resource Manager template, CLI, or the PowerShell

备注

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 若要在 Azure 门户中配置客户管理的密钥,请按配置 Azure 数据资源管理器群集的托管标识中所述,将托管标识配置到群集。To configure customer-managed keys in the Azure portal, configure a managed identity to your cluster as described in Configure managed identities for your Azure Data Explorer cluster.

将客户管理的密钥存储在 Azure 密钥保管库Store customer-managed keys in Azure Key Vault

若要在群集中启用客户管理的密钥,请使用 Azure Key Vault 来存储密钥。To enable customer-managed keys on a cluster, use an Azure Key Vault to store your keys. 必须同时启用密钥保管库上的“软删除”和“不清除”属性 。You must enable both the Soft Delete and Do Not Purge properties on the key vault. Key Vault 必须与群集位于同一订阅中。The key vault must be located in the same subscription as the cluster. Azure 数据资源管理器使用 Azure 资源的托管标识向 Key Vault 进行身份验证,以执行加密和解密操作。Azure Data Explorer uses managed identities for Azure resources to authenticate to the key vault for encryption and decryption operations. 托管标识不支持跨目录方案。Managed identities don't support cross-directory scenarios.

轮换客户管理的密钥Rotate customer-managed keys

可以根据自己的合规性策略,在 Azure 密钥保管库中轮换客户管理的密钥。You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. 要轮换 Azure 密钥保管库中的密钥,请更新密钥版本或创建新密钥,然后更新群集以使用新的密钥 URI 加密数据。To rotate a key, in Azure Key Vault, update the key version or create a new key, and then update the cluster to encrypt data using the new key URI. 可以使用 Azure CLI 或者在门户中执行这些步骤。You can do these steps using the Azure CLI or in the portal. 轮换密钥不会触发群集中现有数据的重新加密。Rotating the key doesn't trigger re-encryption of existing data in the cluster.

轮换密钥时,通常需要指定在创建群集时所用的同一标识。When rotating a key, typically you specify the same identity used when creating the cluster. (可选)配置新的用户分配标识以用于进行密钥访问,或者启用并指定群集的系统分配标识。Optionally, configure a new user-assigned identity for key access, or enable and specify the cluster's system-assigned identity.

备注

确保针对为进行密钥访问而配置的标识设置了所需的“获取”、“解包密钥”和“包装密钥”权限。Ensure that the required Get, Unwrap Key, and Wrap Key permissions are set for the identity you configure for key access.

更新密钥版本Update key version

更新密钥(用作客户管理的密钥)的版本是一种常见情况。A common scenario is to update the version of the key used as a customer-managed key. 群集中的客户管理的密钥会自动更新,或者必须手动更新,具体取决于群集加密的配置情况。Depending on how the cluster encryption is configured, the customer-managed key in the cluster is automatically updated, or must be manually updated.

撤消对客户管理的密钥的访问权限Revoke access to customer-managed keys

若要撤消对客户管理的密钥的访问权限,请使用 PowerShell 或 Azure CLI。To revoke access to customer-managed keys, use PowerShell or Azure CLI. 有关详细信息,请参阅 Azure Key Vault PowerShellAzure Key Vault CLIFor more information, see Azure Key Vault PowerShell or Azure Key Vault CLI. 撤消访问权限会阻止访问群集的存储级别中的所有数据,因为在这种情况下,Azure 数据资源管理器无法访问加密密钥。Revoking access blocks access to all data in the cluster's storage level, since the encryption key is consequently inaccessible by Azure Data Explorer.

备注

当 Azure 数据资源管理器识别到对客户管理的密钥的访问权限被撤消时,它会自动挂起群集,以删除所有缓存的数据。When Azure Data Explorer identifies that access to a customer-managed key is revoked, it will automatically suspend the cluster to delete any cached data. 重新授予对密钥的访问权限后,将自动恢复群集。Once access to the key is returned, the cluster will be resumed automatically.

后续步骤Next steps