Azure 安全基准的 Azure Policy 安全基准Azure Policy security baseline for Azure Security Benchmark

此安全基准将指南从 Azure 安全基准应用到 Azure Policy。This security baseline applies guidance from the Azure Security Benchmark to Azure Policy. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“合规性域”进行分组,“安全控件”由 Azure 安全基准定义,且相关指南适用于 Azure Policy 。The content is grouped by the compliance domains and security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Policy. 排除了不适用于 Azure Policy 的“控件”。Controls not applicable to Azure Policy have been excluded. 若要查看 Azure Policy 如何完全映射到 Azure 安全基准,请参阅完整的 Azure Policy 安全基准映射文件To see how Azure Policy completely maps to the Azure Security Benchmark, see the full Azure Policy security baseline mapping file.

Azure Policy 使用术语“所有权”来代替“责任” 。Azure Policy uses the term Ownership in place of Responsibility. 如需了解“所有权”的详细信息,请参阅 Azure Policy 策略定义云中责任共享For details on Ownership, see Azure Policy policy definitions and Shared responsibility in the cloud.

日志记录和监视Logging and monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security control: Logging and monitoring.

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:Azure Policy 使用自动启用的活动日志来包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用的元素。Guidance: Azure Policy uses activity logs, which are automatically enabled, to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

还可以通过使用 Azure AD Privileged Identity Management 特权角色或 Azure 资源管理器来启用实时/足够访问权限。You can also enable a Just-In-Time / Just-Enough-Access solution by using Azure AD Privileged Identity Management Privileged Roles or Azure Resource Manager.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指南:将 PAW(特权访问工作站)与为登录和配置 Azure 资源而配置的 MFA 结合使用。Guidance: Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.6:使用基于角色的访问控制来控制对资源的访问4.6: Use Role-based access control to control access to resources

指导:使用 Azure Active Directory 基于角色的访问控制 (RBAC) 来控制对 Azure Policy 的访问。Guidance: Use Azure Active Directory role-based access control (RBAC) to control access to Azure Policy.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:Azure Policy 发生更改时使用 Azure Monitor 与活动日志创建警报。Guidance: Use Azure Monitor with activity logs to create alerts for when changes take place in Azure Policy.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy. 使用 Azure Policy“修改”效果来报告并强制实施合规性和一致性标记管理。Use the Azure Policy modify effect to report on and enforce compliance and consistent tag governance.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.4:定义并维护已获批 Azure 资源的清单6.4: Define and Maintain an inventory of approved Azure resources

指导:根据组织需要创建已批准的策略定义和策略分配的清单。Guidance: Create an inventory of approved policy definitions and policy assignments as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

后续步骤Next steps