事件中心的 Azure 安全基线Azure Security Baseline for Event Hubs

事件中心的 Azure 安全基线包含可帮助你改善部署安全状况的建议。The Azure Security Baseline for Event Hubs contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:通过将事件中心与虚拟网络服务终结点集成,可从绑定到虚拟网络的工作负载(例如虚拟机)安全地访问消息传递功能,同时在两端保护网络流量路径。Guidance: The integration of event hubs with virtual network service endpoints enables secure access to messaging capabilities from workloads such as virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

绑定到至少一个虚拟网络子网服务终结点后,相应的事件中心命名空间将不再接受来自经授权的虚拟网络子网以外的任何位置的流量。Once bound to at least one virtual network subnet service endpoint, the respective Event Hubs namespace no longer accepts traffic from anywhere but authorized subnets in virtual networks. 从虚拟网络的角度来看,通过将事件中心命名空间绑定到服务终结点,可配置从虚拟网络子网到消息传递服务的独立网络隧道。From the virtual network perspective, binding your Event Hubs namespace to a service endpoint configures an isolated networking tunnel from the virtual network subnet to the messaging service.

还可以使用防火墙保护 Azure 事件中心命名空间。You can also secure your Azure Event Hubs namespace by using firewalls. Azure 事件中心支持使用基于 IP 的访问控制来提供入站防火墙支持。Azure Event Hubs supports IP-based access controls for inbound firewall support. 可以通过 Azure 门户、Azure 资源管理器模板、Azure CLI 或 Azure PowerShell 设置防火墙规则。You can set firewall rules by using the Azure portal, Azure Resource Manager templates, or through the Azure CLI or Azure PowerShell.

如何将虚拟网络服务终结点与 Azure 事件中心配合使用: https://docs.azure.cn/event-hubs/event-hubs-service-endpointsHow to use virtual network service endpoints with Azure Event Hubs: https://docs.azure.cn/event-hubs/event-hubs-service-endpoints

在事件中心命名空间中启用虚拟网络集成和防火墙: https://docs.azure.cn/event-hubs/event-hubs-tutorial-virtual-networks-firewallsEnable Virtual Networks Integration and Firewalls on Event Hubs namespace: https://docs.azure.cn/event-hubs/event-hubs-tutorial-virtual-networks-firewalls

如何为 Azure 事件中心命名空间配置 IP 防火墙规则: https://docs.azure.cn/event-hubs/event-hubs-ip-filteringHow to configure IP firewall rules for Azure Event Hubs namespaces: https://docs.azure.cn/event-hubs/event-hubs-ip-filtering

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:使用 Azure 安全中心并遵循网络保护建议来帮助保护 Azure 中的事件中心资源。Guidance: Use Azure Security Center and follow network protection recommendations to help secure your Event Hubs resources in Azure. 如果使用 Azure 虚拟机来访问事件中心,请启用网络安全组 (NSG) 流日志,并将日志发送到存储帐户进行流量审核。If using Azure virtual machines to access your event hubs, enable network security group (NSG) flow logs and send logs into a storage account for traffic audit.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

了解 Azure 安全中心提供的网络安全: https://docs.azure.cn/security-center/security-center-network-recommendationsUnderstanding Network Security provided by Azure Security Center: https://docs.azure.cn/security-center/security-center-network-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:为了防范分布式拒绝服务 (DDoS) 攻击,请在与事件中心关联的虚拟网络上启用 DDoS 保护标准。Guidance: Enable DDoS Protection Standard on the virtual networks associated with your event hubs to guard against distributed denial-of-service (DDoS) attacks. 根据 Azure 安全中心集成的威胁情报进行判断,拒绝与已知恶意的或未使用过的 Internet IP 地址通信。Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious or unused Internet IP addresses.

详细了解 Azure 安全中心集成的威胁情报: https://docs.azure.cn/security-center/security-center-alerts-service-layerFor more information about the Azure Security Center Integrated Threat Intelligence: https://docs.azure.cn/security-center/security-center-alerts-service-layer

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:如果使用 Azure 虚拟机来访问事件中心,请启用网络安全组 (NSG) 流日志,并将日志发送到存储帐户进行流量审核。Guidance: If using Azure virtual machines to access your event hubs, enable network security group (NSG) flow logs and send logs into a storage account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

启用网络观察程序数据包捕获(如果调查异常活动时有此需要)。If required for investigating anomalous activity, enable Network Watcher packet capture.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用和使用流量分析: https://docs.azure.cn/network-watcher/traffic-analyticsHow to Enable and use Traffic Analytics: https://docs.azure.cn/network-watcher/traffic-analytics

如何启用网络观察程序: https://docs.azure.cn/network-watcher/network-watcher-createHow to enable Network Watcher: https://docs.azure.cn/network-watcher/network-watcher-create

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:如果使用 Azure 虚拟机访问事件中心,请从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能。Guidance: If using Azure virtual machines to access your event hubs, select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. 如果你的组织不需要基于有效负载检查的入侵检测和/或防护,你可以使用 Azure 事件中心的内置防火墙功能。If intrusion detection and/or prevention based on payload inspection is not required for your organization, you may use Azure Event Hubs' built-in firewall feature. 可以使用防火墙规则,将对事件中心命名空间的访问限制为有限的 IP 地址范围或特定的 IP 地址。You can limit access to your Event Hubs namespace for a limited range of IP addresses, or a specific IP address by using Firewall rules.

如何在事件中心内为指定 IP 地址添加防火墙规则:How to add a firewall rule in Event Hubs for a specified IP address:

https://docs.azure.cn/event-hubs/event-hubs-ip-filtering

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Not yet available

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:不适用。此建议适用于在 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable, this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:使用 Azure Policy 为与 Azure 事件中心命名空间关联的网络资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for network resources associated with your Azure Event Hubs namespaces with Azure Policy. 在“Microsoft.EventHub”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施事件中心命名空间的网络配置。Use Azure Policy aliases in the "Microsoft.EventHub" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Event Hubs namespaces. 还可以使用与 Azure 事件中心相关的内置策略定义,例如:You may also make use of built-in policy definitions related to Azure Event Hubs, such as:

  • 事件中心应使用虚拟网络服务终结点。Event Hub should use a virtual network service endpoint.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

适用于事件中心命名空间的 Azure 内置策略: https://docs.azure.cn/governance/policy/samples/built-in-policies#event-hubAzure Built-in Policy for Event Hubs namespace: https://docs.azure.cn/governance/policy/samples/built-in-policies#event-hub

适用于网络的 Azure Policy 示例: https://docs.azure.cn/governance/policy/samples/built-in-policies#networkAzure Policy samples for networking: https://docs.azure.cn/governance/policy/samples/built-in-policies#network

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与你的事件中心关联的、与网络安全和流量流相关的虚拟网络和其他资源使用标记。Guidance: Use tags for virtual networks and other resources related to network security and traffic flow that are associated with your event hubs.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure 事件中心相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to Azure Event Hubs. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

如何查看和检索 Azure 活动日志事件: https://docs.azure.cn/azure-monitor/platform/activity-log-viewHow to view and retrieve Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/activity-log-view

如何在 Azure Monitor 中创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts in Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:不适用;Microsoft 会为日志中的时间戳维护用于 Azure 资源(例如 Azure 事件中心)的时间源。Guidance: Not applicable; Microsoft maintains the time source used for Azure resources, such as Azure Event Hubs, for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:在 Azure Monitor 中,配置与活动日志和事件中心诊断设置中的事件中心相关的日志,以将日志发送到要查询的 Log Analytics 工作区或要进行长期存档存储的存储帐户。Guidance: Within Azure Monitor, configure logs related to event hubs within the Activity Log and Event Hub diagnostic settings to send logs into a Log Analytics workspace to be queried or into a storage account for long-term archival storage.

如何配置 Azure 事件中心的诊断设置: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logsHow to configure Diagnostic Settings for Azure Event Hubs: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logs

了解 Azure 活动日志: https://docs.azure.cn/azure-monitor/platform/platform-logs-overviewUnderstanding Azure Activity Log: https://docs.azure.cn/azure-monitor/platform/platform-logs-overview

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:启用 Azure 事件中心命名空间的诊断设置。Guidance: Enable Diagnostic settings for your Azure Event Hubs namespace. 有三种类别的 Azure 事件中心诊断设置:存档日志、操作日志和自动缩放日志。There are three categories of Diagnostic settings for Azure Event Hubs: Archive Logs, Operational Logs, and AutoScale Logs. 启用操作日志可捕获事件中心操作期间发生的事件的相关信息,具体而言,就是操作类型(包括事件中心创建操作)、所使用的资源和操作状态。Enable Operational Logs to capture information about what is happening during Event Hubs operations, specifically, the operation type, including event hub creation, resources used, and the status of the operation.

此外,你可以启用 Azure 活动日志诊断设置并将其发送到 Azure 存储帐户、事件中心或 Log Analytics 工作区。Additionally, you may enable Azure Activity log diagnostic settings and send them to an Azure Storage Account, event hub, or a Log Analytics workspace. 可以通过活动日志了解在 Azure 事件中心和其他资源上执行的操作。Activity logs provide insight into the operations that were performed on your Azure Event Hubs and other resources. 可以通过活动日志确定对 Azure 事件中心命名空间执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using activity logs, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) taken on your Azure Event Hubs namespaces.

如何启用 Azure 事件中心的诊断设置: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logsHow to enable Diagnostic Settings for Azure Event Hubs: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logs

如何启用 Azure 活动日志的诊断设置: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacyHow to enable Diagnostic Settings for Azure Activity Log: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacy

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期,以捕获和查看与事件中心相关的事件。Guidance: Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations to capture and review event hub-related incidents.

如何为 Log Analytics 工作区设置日志保留参数: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-periodHow to set log retention parameters for Log Analytics workspaces: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视日志中的异常行为,并定期查看与事件中心相关的结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review results related to your event hubs. 使用 Azure Monitor 的 Log Analytics 检查日志并对日志数据执行查询。Use Azure Monitor's Log Analytics to review logs and perform queries on log data.

有关 Log Analytics 工作区的详细信息: https://docs.azure.cn/azure-monitor/log-query/get-started-portalFor more information about the Log Analytics workspace: https://docs.azure.cn/azure-monitor/log-query/get-started-portal

如何在 Azure Monitor 中执行自定义查询: https://docs.azure.cn/azure-monitor/log-query/get-started-queriesHow to perform custom queries in Azure Monitor: https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activity

指导:在 Azure Monitor 中,配置与活动日志和事件中心诊断设置中的 Azure 事件中心相关的日志,以将日志发送到要查询的 Log Analytics 工作区或要进行长期存档存储的存储帐户。Guidance: Within Azure Monitor, configure logs related to Azure Event Hubs within the Activity Log, and Event Hubs diagnostic settings to send logs into a Log Analytics workspace to be queried or into a storage account for long-term archival storage. 使用 Log Analytics 工作区针对安全日志和事件中的异常活动创建警报。Use Log Analytics workspace to create alerts for anomalous activity found in security logs and events.

了解 Azure 活动日志: https://docs.azure.cn/azure-monitor/platform/platform-logs-overviewUnderstand the Azure Activity Log: https://docs.azure.cn/azure-monitor/platform/platform-logs-overview

如何配置 Azure 事件中心的诊断设置: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logsHow to configure Diagnostic Settings for Azure Event Hubs: https://docs.azure.cn/event-hubs/event-hubs-diagnostic-logs

如何针对 Log Analytics 工作区日志数据发出警报: https://docs.azure.cn/azure-monitor/learn/tutorial-responseHow to alert on Log Analytics workspace log data: https://docs.azure.cn/azure-monitor/learn/tutorial-response

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Not yet available

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;事件中心不处理反恶意软件日志记录。Guidance: Not applicable; Event Hub does not process anti-malware logging.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;事件中心不会处理或生成与 DNS 相关的日志。Guidance: Not applicable; Event Hubs does not process or produce DNS related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此指南适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:Azure Active Directory (AD) 具有必须显式分配且可查询的内置角色。Guidance: Azure Active Directory (AD) has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

如何使用 PowerShell 获取 Azure AD 中的目录角色: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0How to get a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

如何使用 PowerShell 获取 Azure AD 中目录角色的成员: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0How to get members of a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:通过 Azure Active Directory (AD) 控制对事件中心的控制平面访问。Guidance: Control plane access to Event Hubs is controlled through Azure Active Directory (AD). Azure AD 没有默认密码。Azure AD does not have the concept of default passwords.

可以使用托管标识或应用注册和共享访问签名通过 Azure AD 控制数据平面对事件中心的访问。Data plane access to Event Hubs is controlled through Azure AD with Managed Identities or App registrations as well as shared access signatures. 共享访问签名由连接到事件中心的客户端使用,可以随时重新生成。Shared access signatures are used by the clients connecting to your event hubs and can be regenerated at any time.

了解事件中心的共享访问签名: https://docs.azure.cn/event-hubs/authenticate-shared-access-signatureUnderstand shared access signatures for Event Hubs: https://docs.azure.cn/event-hubs/authenticate-shared-access-signature

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription

  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription

  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

如何使用 Azure 安全中心监视标识和访问(预览版): https://docs.azure.cn/security-center/security-center-identity-accessHow to use Azure Security Center to monitor identity and access (Preview): https://docs.azure.cn/security-center/security-center-identity-access

如何使用 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to use Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:Microsoft Azure 基于 Azure Active Directory (AD) 针对资源和应用程序提供了集成的访问控制管理功能。Guidance: Microsoft Azure provides integrated access control management for resources and applications based on Azure Active Directory (AD). 将 Azure AD 与 Azure 事件中心配合使用的主要优势在于,不再需要将凭据存储在代码中。A key advantage of using Azure AD with Azure Event Hubs is that you don't need to store your credentials in the code anymore. 可以从 Microsoft 标识平台请求 OAuth 2.0 访问令牌。Instead, you can request an OAuth 2.0 access token from the Microsoft Identity platform. 用于请求令牌的资源名称为 https://eventhubs.azure.cn/。The resource name to request a token is https://eventhubs.azure.cn/. Azure AD 对运行应用程序的安全主体(用户、组或服务主体)进行身份验证。Azure AD authenticates the security principal (a user, group, or service principal) running the application. 如果身份验证成功,Azure AD 会将访问令牌返回应用程序,应用程序可随之使用访问令牌对 Azure 事件中心资源请求授权。If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Azure Event Hubs resources.

如何使用 Azure AD 对访问事件中心资源的应用程序进行身份验证: https://docs.azure.cn/event-hubs/authenticate-applicationHow to authenticate an application with Azure AD to access Event Hubs resources: https://docs.azure.cn/event-hubs/authenticate-application

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理建议,以便保护启用了事件中心的资源。Guidance: Enable Azure Active Directory Multi-Factor Authentication (MFA) and follow Azure Security Center Identity and access management recommendations to help protect your Event Hub-enabled resources.

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor identity and access within Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证 (MFA) 的特权访问工作站 (PAW) 进行登录并配置启用了事件中心的资源。Guidance: Use privileged access workstations (PAW) with Multi-Factor Authentication (MFA) configured to log into and configure Event Hub-enabled resources.

了解特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsLearn about Privileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录管理帐户的可疑活动并发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure AD 风险检测查看有关风险用户行为的警报和报告。Use Azure AD risk detections to view alerts and reports on risky user behavior. 如需其他日志记录,请将 Azure 安全中心风险检测警报发送到 Azure Monitor 中,并使用操作组配置自定义警报/通知。For additional logging, send Azure Security Center risk detection alerts into Azure Monitor and configure custom alerting/notifications using action groups.

如何部署 Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-planHow to deploy Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-plan

了解 Azure AD 风险检测: https://docs.azure.cn/active-directory/reports-monitoring/concept-risk-eventsUnderstand Azure AD risk detections: https://docs.azure.cn/active-directory/reports-monitoring/concept-risk-events

如何为自定义警报和通知配置操作组: https://docs.azure.cn/azure-monitor/platform/action-groupsHow to configure action groups for custom alerting and notification: https://docs.azure.cn/azure-monitor/platform/action-groups

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

如何在 Azure 中配置命名位置: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locationsHow to configure Named Locations in Azure: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locations

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (AD) 作为 Azure 资源(例如事件中心)的中心身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for Azure resources such as Event Hubs. 这样就可以对用于管理的敏感资源进行基于角色的访问控制 (RBAC)。This allows for role-based access control (RBAC) to administrative sensitive resources.

如何创建和配置 Azure AD 实例: https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenantHow to create and configure an Azure AD instance: https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenant

若要了解 Azure 事件中心如何与 Azure Active Directory (AAD) 集成,请参阅“使用 Azure Active Directory 授予对事件中心资源的访问权限”: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directoryTo learn about how Azure Event Hubs integrates with Azure Active Directory (AAD), see Authorize access to Event Hubs resources using Azure Active Directory: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directory

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (AD) 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory (AD) provides logs to help you discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

另外,还需定期轮换事件中心的共享访问签名。In additional, regularly rotate your Event Hubs' shared access signatures.

了解 Azure AD 报告: https://docs.azure.cn/active-directory/reports-monitoring/Understand Azure AD reporting: https://docs.azure.cn/active-directory/reports-monitoring/

如何使用 Azure 标识访问评审: https://docs.azure.cn/active-directory/governance/access-reviews-overviewHow to use Azure Identity Access Reviews: https://docs.azure.cn/active-directory/governance/access-reviews-overview

了解事件中心的共享访问签名: https://docs.azure.cn/event-hubs/authenticate-shared-access-signatureUnderstanding shared access signatures for Event Hubs: https://docs.azure.cn/event-hubs/authenticate-shared-access-signature

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视访问已停用帐户的企图3.11: Monitor attempts to access deactivated accounts

指导:你有权访问 Azure Active Directory (AD) 登录活动、审核和风险事件日志源,以便与任何 SIEM/监视工具集成。Guidance: You have access to Azure Active Directory (AD) sign-in activity, audit and risk event log sources, which allow you to integrate with any SIEM/Monitoring tool.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 可以在 Log Analytics 中配置所需的日志警报。You can configure desired log alerts within Log Analytics.

使用 Azure Active Directory 授予对事件中心资源的访问权限: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directoryAuthorize access to Event Hubs resources using Azure Active Directory: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directory

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:对与事件中心相关的资源使用标记,以便跟踪那些存储或处理敏感信息的 Azure 资源。Guidance: Use tags on resources related to your Event Hubs to assist in tracking Azure resources that store or process sensitive information.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实施单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 事件中心命名空间应由启用了服务终结点的虚拟网络分隔并进行相应的标记。Event Hubs namespaces should be separated by virtual network with service endpoints enabled and tagged appropriately.

还可以使用防火墙保护 Azure 事件中心命名空间。You may also secure your Azure Event Hubs namespace by using firewalls. Azure 事件中心支持使用基于 IP 的访问控制来提供入站防火墙支持。Azure Event Hubs supports IP-based access controls for inbound firewall support. 可以通过 Azure 门户、Azure 资源管理器模板、Azure CLI 或 Azure PowerShell 设置防火墙规则。You can set firewall rules by using the Azure portal, Azure Resource Manager templates, or through the Azure CLI or Azure PowerShell.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

为 Azure 事件中心命名空间配置 IP 防火墙规则: https://docs.azure.cn/event-hubs/event-hubs-ip-filteringConfigure IP firewall rules for Azure Event Hubs namespaces: https://docs.azure.cn/event-hubs/event-hubs-ip-filtering

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and utilize tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

如何创建虚拟网络: https://docs.azure.cn/virtual-network/quick-create-portalHow to create a Virtual Network: https://docs.azure.cn/virtual-network/quick-create-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:使用虚拟机访问事件中心时,请利用虚拟网络、服务终结点、事件中心防火墙、网络安全组和服务标记来降低数据外泄的可能性。Guidance: When using virtual machines to access your event hubs, make use of virtual networks, service endpoints, Event Hubs firewall, network security groups, and service tags to mitigate the possibility of data exfiltration.

Microsoft 会管理 Azure 事件中心的底层基础结构,并实施严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Event Hubs and has implemented strict controls to prevent the loss or exposure of customer data.

为 Azure 事件中心命名空间配置 IP 防火墙规则: https://docs.azure.cn/event-hubs/event-hubs-ip-filteringConfigure IP firewall rules for Azure Event Hubs namespaces: https://docs.azure.cn/event-hubs/event-hubs-ip-filtering

了解网络安全组和服务标记: https://docs.azure.cn/virtual-network/security-overviewUnderstand Network Security Groups and Service Tags: https://docs.azure.cn/virtual-network/security-overview

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Azure 事件中心。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Event Hubs. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:Azure 事件中心支持使用 Azure Active Directory (AD) 对事件中心资源请求进行授权。Guidance: Azure Event Hubs supports using Azure Active Directory (AD) to authorize requests to Event Hubs resources. 可以通过 Azure AD 使用基于角色的访问控制 (RBAC) 授予对服务主体的访问权限,该服务主体可能是用户或应用程序服务主体。With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.

了解 Azure 事件中心的 Azure AD RBAC 和可用角色: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directoryUnderstand Azure AD RBAC and available roles for Azure Event Hubs: https://docs.azure.cn/event-hubs/authorize-access-azure-active-directory

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Microsoft 会管理事件中心的底层基础结构,并实施严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Event Hubs and has implemented strict controls to prevent the loss or exposure of customer data.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在 Azure 事件中心的生产实例和其他关键或相关资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure Event Hubs and other critical or related resources.

如何针对 Azure 活动日志事件创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts for Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:不适用;Microsoft 对支持 Azure 事件中心的基础系统执行漏洞管理。Guidance: Not applicable; Microsoft performs vulnerability management on the underlying systems that support Event Hubs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:不适用;Microsoft 对支持事件中心的基础系统执行修补程序管理。Guidance: Not applicable; Microsoft performs patch management on the underlying systems that support Event Hubs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指导:不适用;基准适用于计算资源。Guidance: Not applicable; benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:不适用;Microsoft 对支持 Azure 事件中心的基础系统执行漏洞管理。Guidance: Not applicable; Microsoft performs vulnerability management on the underlying systems that support Event Hubs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:不适用;Microsoft 对支持 Azure 事件中心的基础系统执行漏洞管理。Guidance: Not applicable; Microsoft performs vulnerability management on the underlying systems that support Event Hubs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 查询和发现订阅中的所有资源(包括 Azure 事件中心命名空间)。Guidance: Use Azure Resource Graph to query and discover all resources (including Azure Event Hubs namespaces) within your subscription(s). 确保你在租户中拥有适当(读取)权限,并且能够枚举所有 Azure 订阅以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0How to view your Azure Subscriptions: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

了解 Azure RBAC: https://docs.azure.cn/role-based-access-control/overviewUnderstand Azure RBAC: https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独订阅(如果适用)来组织和跟踪 Azure 事件中心命名空间和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Event Hubs namespaces and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use Azure Resource Graph to query/discover resources within the subscription(s).

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Policy 拒绝特定的资源类型: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesHow to deny a specific resource type with Azure Policy: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:6.11:
限制用户通过脚本与 Azure 资源管理器进行交互的能力Limit users' ability to interact with Azure Resource Manager via scripts

指南:配置 Azure 条件访问,使其通过为“Microsoft Azure 管理”应用配置“阻止访问”,来限制用户与 Azure 资源管理器进行交互的能力。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

如何配置条件访问以阻止访问 Azure 资源管理器: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementHow to configure Conditional Access to block access to Azure Resource Manager: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:定义和实施适用于 Azure 事件中心部署的标准安全配置。Guidance: Define and implement standard security configurations for your Azure Event Hubs deployments. 在“Microsoft.EventHub”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施配置。Use Azure Policy aliases in the "Microsoft.EventHub" namespace to create custom policies to audit or enforce configurations. 还可以为 Azure 事件中心利用内置策略定义,例如:You may also make use of built-in policy definitions for Azure Event Hubs such as:

  • 应启用事件中心内的诊断日志Diagnostic logs in Event Hub should be enabled

  • 事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint

适用于事件中心命名空间的 Azure 内置策略: https://docs.azure.cn/governance/policy/samples/built-in-policies#event-hubAzure Built-in Policy for Event Hubs namespace: https://docs.azure.cn/governance/policy/samples/built-in-policies#event-hub

如何查看可用的 Azure Policy 别名: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0How to view available Azure Policy aliases: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对支持事件中心的资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Event Hubs-enabled resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

有关 Azure Policy 效果的详细信息: https://docs.azure.cn/governance/policy/concepts/effectsFor more information about the Azure Policy Effects: https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:在“Microsoft.EventHub”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.EventHub" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:在“Microsoft.EventHub”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.EventHub" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”为 Azure 事件中心部署和相关资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Event Hubs deployments and related resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:对于在 Azure 应用服务上运行的用于访问事件中心的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 事件中心部署的共享访问签名管理。Guidance: For Azure virtual machines or web applications running on Azure App Service being used to access your event hubs, use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure shared access signature management for your Azure Event Hubs deployments. 请确保启用 Key Vault 软删除。Ensure Key Vault soft-delete is enabled.

使用 Azure Active Directory 对托管标识进行身份验证,以便访问事件中心资源: https://docs.azure.cn/event-hubs/authenticate-managed-identity?tabs=latestAuthenticate a managed identity with Azure Active Directory to access Event Hubs resources: https://docs.azure.cn/event-hubs/authenticate-managed-identity?tabs=latest

如何创建 Key Vault: https://docs.azure.cn/key-vault/quick-create-portalHow to create a Key Vault: https://docs.azure.cn/key-vault/quick-create-portal

如何对 Key Vault 进行身份验证: https://docs.azure.cn/key-vault/general/authenticationHow to authenticate to Key Vault: https://docs.azure.cn/key-vault/general/authentication

如何分配 Key Vault 访问策略: https://docs.azure.cn/key-vault/general/assign-access-policy-portalHow to assign a Key Vault access policy: https://docs.azure.cn/key-vault/general/assign-access-policy-portal

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:对于在 Azure 应用服务上运行的用于访问事件中心的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 事件中心。Guidance: For Azure virtual machines or web applications running on Azure App Service being used to access your event hubs, use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure Azure Event Hubs. 请确保启用 Key Vault 软删除。Ensure Key Vault soft-delete is enabled.

使用托管标识在 Azure Active Directory (AD) 中为 Azure 服务提供一个自动托管标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory (AD). 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Azure Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Azure Key Vault, without any credentials in your code.

使用 Azure Active Directory 对托管标识进行身份验证,以便访问事件中心资源: https://docs.azure.cn/event-hubs/authenticate-managed-identity?tabs=latestAuthenticate a managed identity with Azure Active Directory to access Event Hubs Resources: https://docs.azure.cn/event-hubs/authenticate-managed-identity?tabs=latest

如何配置托管标识: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmHow to configure Managed Identities: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描器: https://secdevtools.azurewebsites.net/helpcredscan.htmlHow to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure 应用服务)的基础主机上启用,但不会对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:预扫描要上传到非计算 Azure 资源的任何内容,例如 Azure 事件中心、应用服务、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Microsoft 无法访问这些实例中的数据。Guidance: Pre-scan any content being uploaded to non-compute Azure resources, such as Azure Event Hubs, App Service, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Microsoft cannot access your data in these instances.

Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure Cache for Redis)的基础主机上启用,但它不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Cache for Redis), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:测试已备份客户托管密钥的还原。Guidance: Test restoration of backed up customer managed keys.

如何在 Azure 中还原密钥保管库密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0How to restore key vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:确保在书面的事件响应计划中定义人员职责,以及事件处理/管理的各个阶段。Guidance: Ensure that there are written incident response plans that defines roles of personnel as well as phases of incident handling/management.

如何在 Azure 安全中心内配置工作流自动化: https://docs.azure.cn/security-center/security-center-planning-and-operations-guideHow to configure Workflow Automations within Azure Security Center: https://docs.azure.cn/security-center/security-center-planning-and-operations-guide

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心将为警报分配严重性来帮助你确定每条警报的处理优先顺序,以便在资源泄密时可以立即采取措施。Guidance: Security Center assigns a severity to alerts, to help you prioritize the order in which you attend to each alert, so that when a resource is compromised, you can get to it right away. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test Security Response Procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

请参阅 NIST 的刊物:Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities(IT 规划和功能的测试、培训与演练计划指南): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdfRefer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指南:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Microsoft 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

如何设置 Azure 安全中心安全联系人: https://docs.azure.cn/security-center/security-center-provide-security-contact-detailsHow to set the Azure Security Center Security Contact: https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Microsoft 政策: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance: Please follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1. 对于 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序的实时站点渗透测试,可在此处找到详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft managed cloud infrastructure, services and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

后续步骤Next steps