数据工厂的 Azure Policy 内置定义(预览)Azure Policy built-in definitions for Data Factory (Preview)

适用于: Azure 数据工厂 Azure Synapse Analytics

此页是数据工厂的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Data Factory. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

数据工厂Data Factory

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应使用客户管理的密钥对 Azure 数据工厂进行加密Azure data factories should be encrypted with a customer-managed key 使用客户管理的密钥来管理 Azure 数据工厂的静态加密。Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. 默认情况下,使用服务管理的密钥对客户数据进行加密,但为了满足法规合规性标准,通常需要使用客户管理的密钥。By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://docs.azure.cn/data-factory/enable-customer-managed-keyLearn more at https://docs.azure.cn/data-factory/enable-customer-managed-key. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
Azure 数据工厂集成运行时应对核心数有限制Azure Data Factory integration runtime should have a limit for number of cores 若要管理资源和成本,请限制集成运行时的核心数。To manage your resources and costs, limit the number of cores for an integration runtime. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.0-preview1.0.0-preview
Azure 数据工厂链接服务资源类型应在允许列表中Azure Data Factory linked service resource type should be in allow list 定义 Azure 数据工厂链接服务类型的允许列表。Define the allow list of Azure Data Factory linked service types. 限制允许的资源类型可以控制数据移动的边界。Restricting allowed resource types enables control over the boundary of data movement. 例如,将范围限制为只允许使用 Data Lake Storage Gen2 进行分析的 blob 存储,或只允许 SQL 和 Kusto 访问实时查询。For example, restrict a scope to only allow blob storage with Data Lake Storage Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.0-preview1.0.0-preview
Azure 数据工厂链接服务应使用 Key Vault 来存储机密Azure Data Factory linked services should use Key Vault for storing secrets 为了确保机密(如连接字符串)得到安全管理,需要用户使用 Azure Key Vault 提供机密,而不是在链接服务中内联指定它们。To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.0-preview1.0.0-preview
Azure 数据工厂链接服务应使用系统分配的托管标识身份验证(如果受支持)Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported 在通过链接服务与数据存储进行通信时,使用系统分配的托管标识可以避免使用密码或连接字符串等安全性较低的凭据。Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.0-preview1.0.0-preview

后续步骤Next steps