Azure 安全基准法规符合性内置计划的详细信息Details of the Azure Security Benchmark Regulatory Compliance built-in initiative

下文详细说明了 Azure Policy 法规符合性内置计划定义如何映射到 Azure 安全基准的符合性域和控制措施 。The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Azure Security Benchmark. 有关此符合性标准的详细信息,请参阅 Azure 安全基准For more information about this compliance standard, see Azure Security Benchmark. 若要了解所有权,请参阅 Azure Policy 策略定义云中责任分担To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

以下映射是到 Azure 安全基准控制的映射。The following mappings are to the Azure Security Benchmark controls. 使用右侧的导航栏可直接跳转到特定的符合性域。Use the navigation on the right to jump directly to a specific compliance domain. 许多控制措施都是使用 Azure Policy 计划定义实现的。Many of the controls are implemented with an Azure Policy initiative definition. 若要查看完整计划定义,请在 Azure 门户中打开“策略”,并选择“定义”页 。To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. 然后,找到并选择 Azure 安全基准法规符合性内置计划定义。Then, find and select the Azure Security Benchmark Regulatory Compliance built-in initiative definition.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略定义本身;这并不能确保你完全符合某个控制措施的所有要求。As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 此符合性标准的符合性域、控制措施和 Azure Policy 定义之间的关联可能会随着时间的推移而发生变化。The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. 若要查看更改历史记录,请参阅 GitHub 提交历史记录To view the change history, see the GitHub Commit History.

网络安全Network Security

实现内部流量的安全性Implement security for internal traffic

ID:Azure 安全基准 NS-1 所有权:客户ID: Azure Security Benchmark NS-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应限制在与虚拟机关联的网络安全组上使用所有网络端口All network ports should be restricted on network security groups associated to your virtual machine Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够将你的资源定为攻击目标。This can potentially enable attackers to target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
API 管理服务应使用虚拟网络API Management services should use a virtual network Azure 虚拟网络部署提供了增强的安全性和隔离,并允许你将 API 管理服务放置在不可经 Internet 路由的网络(你控制对其的访问权限)中。Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. 然后,可以使用各种 VPN 技术将这些网络连接到本地网络,这样就能够访问网络中的和/或本地的后端服务。These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. 可以将开发人员门户和 API 网关配置为可以从 Internet 访问或只能在虚拟网络内访问。The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit、DisabledAudit, Disabled 1.0.11.0.1
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
Azure Cosmos DB 帐户应有防火墙规则Azure Cosmos DB accounts should have firewall rules 应在 Azure Cosmos DB 帐户上定义防火墙规则,以防止来自未经授权的源的流量。Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. 至少定义了一个 IP 规则且启用了虚拟网络筛选器的帐户才会被视为合规。Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. 禁用公共访问的帐户也被视为合规。Accounts disabling public access are also deemed compliant. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
认知服务帐户应禁用公用网络访问Cognitive Services accounts should disable public network access 禁用公用网络访问可确保认知服务帐户不会在公共 Internet 上公开,从而提高安全性。Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. 创建专用终结点可以限制认知服务帐户的公开。Creating private endpoints can limit exposure of Cognitive Services account. 有关详细信息,请访问:https://go.microsoft.com/fwlink/?linkid=2129800Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
认知服务帐户应限制网络访问Cognitive Services accounts should restrict network access 应限制对认知服务帐户的网络访问。Network access to Cognitive Services accounts should be restricted. 配置网络规则,使只有来自允许的网络的应用程序才能访问认知服务帐户。Configure network rules so only applications from allowed networks can access the Cognitive Services account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限。To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
容器注册表不得允许无限制的网络访问Container registries should not allow unrestricted network access 默认情况下,Azure 容器注册表接受来自任何网络上的主机的 Internet 连接。Azure container registries by default accept connections over the internet from hosts on any network. 为了防止注册表受到潜在的威胁,只允许来自特定的公共 IP 地址或地址范围的访问。To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. 如果注册表没有 IP/防火墙规则或配置的虚拟网络,它将出现在不正常资源中。If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. 有关容器注册表网络规则的详细信息,请访问 https://aka.ms/acr/portal/public-networkhttps://aka.ms/acr/vnetLearn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用 Azure SQL 数据库上的公用网络访问Public network access on Azure SQL Database should be disabled 禁用公用网络访问属性可确保只能从专用终结点访问 Azure SQL 数据库,从而提高安全性。Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. 此配置拒绝所有符合基于 IP 或虚拟网络的防火墙规则的登录。This configuration denies all logins that match IP or virtual network based firewall rules. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络的流量或公共 Internet IP 地址范围授予访问权限To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
存储帐户应使用虚拟网络规则来限制网络访问Storage accounts should restrict network access using virtual network rules 使用虚拟网络规则作为首选方法(而不使用基于 IP 的筛选),保护存储帐户免受潜在威胁危害。Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. 禁用基于 IP 的筛选可以阻止公共 IP 访问你的存储帐户。Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

将专用网络连接在一起Connect private networks together

ID:Azure 安全基准 NS-2 所有权:客户ID: Azure Security Benchmark NS-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应用程序配置应使用专用链接App Configuration should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到应用配置实例(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/appconfig/private-endpointLearn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
Azure Cache for Redis 应驻留在虚拟网络中Azure Cache for Redis should reside within a virtual network Azure 虚拟网络部署为 Azure Cache for Redis 提供了增强的安全性和隔离,以及子网、访问控制策略和其他功能,以进一步限制访问。配置了虚拟网络的 Azure Cache for Redis 实例是不可公开寻址的,只能从虚拟网络中的虚拟机和应用程序访问。Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.31.0.3
Azure 事件网格域应使用专用链接Azure Event Grid domains should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到事件网格域(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/privateendpointsLearn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.21.0.2
Azure 事件网格主题应使用专用链接Azure Event Grid topics should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到事件网格主题(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/privateendpointsLearn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.21.0.2
Azure 机器学习工作区应使用专用链接Azure Machine Learning workspaces should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 Azure 机器学习工作区,可以降低数据泄露风险。By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. 有关专用链接的详细信息,请访问 https://docs.azure.cn/machine-learning/how-to-configure-private-linkLearn more about private links at: https://docs.azure.cn/machine-learning/how-to-configure-private-link . Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Azure SignalR 服务应使用专用链接Azure SignalR Service should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 Azure SignalR 服务资源而不是整个服务,可降低数据泄露风险。By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. 有关专用链接的详细信息,请访问:https://aka.ms/asrs/privatelinkLearn more about private links at: https://aka.ms/asrs/privatelink. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
容器注册表应使用专用链接Container registries should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。通过将专用终结点映射到容器注册表,而不是整个服务,还可以防范数据泄露风险。The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/private-link. Audit、DisabledAudit, Disabled 1.0.11.0.1
应启用 Azure SQL 数据库上的专用终结点连接Private endpoint connections on Azure SQL Database should be enabled 专用终结点连接通过启用到 Azure SQL 数据库的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit、DisabledAudit, Disabled 1.1.01.1.0
存储帐户应使用专用链接Storage accounts should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 将专用终结点映射到存储帐户可以降低数据泄露风险。By mapping private endpoints to your storage account, data leakage risks are reduced. 有关专用链接的详细信息,请访问 https://aka.ms/azureprivatelinkoverviewLearn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

建立对 Azure 服务的专用网络访问Establish private network access to Azure services

ID:Azure 安全基准 NS-3 所有权:客户ID: Azure Security Benchmark NS-3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应用程序配置应使用专用链接App Configuration should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到应用配置实例(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/appconfig/private-endpointLearn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
Azure 事件网格域应使用专用链接Azure Event Grid domains should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到事件网格域(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/privateendpointsLearn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.21.0.2
Azure 事件网格主题应使用专用链接Azure Event Grid topics should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到事件网格主题(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/privateendpointsLearn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.21.0.2
Azure 机器学习工作区应使用专用链接Azure Machine Learning workspaces should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 Azure 机器学习工作区,可以降低数据泄露风险。By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. 有关专用链接的详细信息,请访问 https://docs.azure.cn/machine-learning/how-to-configure-private-linkLearn more about private links at: https://docs.azure.cn/machine-learning/how-to-configure-private-link . Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Azure SignalR 服务应使用专用链接Azure SignalR Service should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 Azure SignalR 服务资源而不是整个服务,可降低数据泄露风险。By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. 有关专用链接的详细信息,请访问:https://aka.ms/asrs/privatelinkLearn more about private links at: https://aka.ms/asrs/privatelink. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
容器注册表应使用专用链接Container registries should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。通过将专用终结点映射到容器注册表,而不是整个服务,还可以防范数据泄露风险。The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/private-link. Audit、DisabledAudit, Disabled 1.0.11.0.1
应启用 Azure SQL 数据库上的专用终结点连接Private endpoint connections on Azure SQL Database should be enabled 专用终结点连接通过启用到 Azure SQL 数据库的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit、DisabledAudit, Disabled 1.1.01.1.0
存储帐户应使用专用链接Storage accounts should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 将专用终结点映射到存储帐户可以降低数据泄露风险。By mapping private endpoints to your storage account, data leakage risks are reduced. 有关专用链接的详细信息,请访问 https://aka.ms/azureprivatelinkoverviewLearn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
VM 映像生成器模板应使用专用链接VM Image Builder templates should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. 将专用终结点映射到 VM 映像生成器生成资源可以降低数据泄露的风险。By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. 有关专用链接的详细信息,请访问 https://docs.azure.cn/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnetLearn more about private links at: https://docs.azure.cn/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet . 审核、已禁用、拒绝Audit, Disabled, Deny 1.1.01.1.0

防止应用程序和服务受到外部网络攻击Protect applications and services from external network attacks

ID:Azure 安全基准 NS-4 所有权:客户ID: Azure Security Benchmark NS-4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应限制在与虚拟机关联的网络安全组上使用所有网络端口All network ports should be restricted on network security groups associated to your virtual machine Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够将你的资源定为攻击目标。This can potentially enable attackers to target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
Azure Cosmos DB 帐户应有防火墙规则Azure Cosmos DB accounts should have firewall rules 应在 Azure Cosmos DB 帐户上定义防火墙规则,以防止来自未经授权的源的流量。Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. 至少定义了一个 IP 规则且启用了虚拟网络筛选器的帐户才会被视为合规。Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. 禁用公共访问的帐户也被视为合规。Accounts disabling public access are also deemed compliant. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络的流量或公共 Internet IP 地址范围授予访问权限To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

标识管理Identity Management

将 Azure Active Directory 标准化为标识和身份验证的中央系统Standardize Azure Active Directory as the central identity and authentication system

ID:Azure 安全基准 IM-1 所有权:客户ID: Azure Security Benchmark IM-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Azure 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Azure services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0

以安全方式自动管理应用程序标识Manage application identities securely and automatically

ID:Azure 安全基准 IM-2 所有权:客户ID: Azure Security Benchmark IM-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of management certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响。To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

对所有基于 Azure Active Directory 的访问使用强身份验证控制Use strong authentication controls for all Azure Active Directory based access

ID:Azure 安全基准 IM-4 所有权:客户ID: Azure Security Benchmark IM-4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

特权访问Privileged Access

保护和限制高特权用户Protect and limit highly privileged users

ID:Azure 安全基准 PA-1 所有权:客户ID: Azure Security Benchmark PA-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

遵循 Just Enough Administration(最小特权原则)Follow just enough administration (least privilege principle)

ID:Azure 安全基准 PA-7 所有权:客户ID: Azure Security Benchmark PA-7 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2

数据保护Data Protection

发现和标记敏感数据并对其进行分类Discovery, classify and label sensitive data

ID:Azure 安全基准 DP-1 所有权:共享ID: Azure Security Benchmark DP-1 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview

保护敏感数据Protect sensitive data

ID:Azure 安全基准 DP-2 所有权:共享ID: Azure Security Benchmark DP-2 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
认知服务帐户应启用数据加密Cognitive Services accounts should enable data encryption 此策略审核未使用数据加密的任何认知服务帐户。This policy audits any Cognitive Services account not using data encryption. 对于具有存储的各个认知服务帐户,应启用使用客户管理的密钥或 Azure 管理的密钥的数据加密。For each Cognitive Services account with storage, should enable data encryption with either customer managed or Azure managed key. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

监视未经授权的敏感数据传输Monitor for unauthorized transfer of sensitive data

ID:Azure 安全基准 DP-3 所有权:共享ID: Azure Security Benchmark DP-3 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2

加密传输中的敏感信息Encrypt sensitive information in transit

ID:Azure 安全基准 DP-4 所有权:共享ID: Azure Security Benchmark DP-4 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
Kubernetes 群集应只可通过 HTTPS 进行访问Kubernetes clusters should be accessible only over HTTPS 使用 HTTPS 可确保执行身份验证,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. 此功能目前已面向 Kubernetes 服务 (AKS) 正式发布,并面向 AKS 引擎和启用了 Azure Arc 的 Kubernetes 提供预览版。This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请访问 https://aka.ms/kubepolicydocFor more info, visit https://aka.ms/kubepolicydoc 审核、拒绝、已禁用audit, deny, disabled 6.0.06.0.0
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能与 Azure Cache for Redis 建立安全连接Only secure connections to your Azure Cache for Redis should be enabled 审核是否仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Audit enabling of only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

加密静态敏感数据Encrypt sensitive data at rest

ID:Azure 安全基准 DP-5 所有权:共享ID: Azure Security Benchmark DP-5 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Azure Cosmos DB 帐户应使用客户管理的密钥来加密静态数据Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 使用客户管理的密钥来管理 Azure Cosmos DB 的静态加密。Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. 默认情况下,使用服务管理的密钥对数据进行静态加密,但为了满足法规符合性标准,通常需要使用客户管理的密钥。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/cosmosdb-cmkLearn more at https://aka.ms/cosmosdb-cmk. 审核、拒绝、已禁用audit, deny, disabled 1.0.21.0.2
应使用客户管理的密钥对 Azure 机器学习工作区进行加密Azure Machine Learning workspaces should be encrypted with a customer-managed key 使用客户管理的密钥管理 Azure 机器学习工作区数据的静态加密。Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. 默认情况下,使用服务管理的密钥对客户数据进行加密,但为了满足法规符合性标准,通常需要使用客户管理的密钥。By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/azureml-workspaces-cmkLearn more at https://aka.ms/azureml-workspaces-cmk. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.31.0.3
认知服务帐户应启用数据加密Cognitive Services accounts should enable data encryption 此策略审核未使用数据加密的任何认知服务帐户。This policy audits any Cognitive Services account not using data encryption. 对于具有存储的各个认知服务帐户,应启用使用客户管理的密钥或 Azure 管理的密钥的数据加密。For each Cognitive Services account with storage, should enable data encryption with either customer managed or Azure managed key. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
认知服务帐户应启用使用客户管理的密钥进行数据加密的功能Cognitive Services accounts should enable data encryption with a customer-managed key 为了满足法规符合性标准,通常需要使用客户管理的密钥。Customer-managed keys are commonly required to meet regulatory compliance standards. 利用客户管理的密钥,可以使用由你创建并拥有的 Azure Key Vault 密钥对存储在认知服务中的数据进行加密。Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 通过 https://go.microsoft.com/fwlink/?linkid=2121321 详细了解客户管理的密钥。Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
认知服务帐户应使用客户自有存储或启用数据加密。Cognitive Services accounts should use customer owned storage or enable data encryption. 此策略审核未使用客户自有存储或数据加密的任何认知服务帐户。This policy audits any Cognitive Services account not using customer owned storage nor data encryption. 对于具有存储的各个认知服务帐户,应使用客户自有存储或启用数据加密。For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应使用客户管理的密钥对容器注册表进行加密Container registries should be encrypted with a customer-managed key 使用客户管理的密钥来管理注册表内容的静态加密。Use customer-managed keys to manage the encryption at rest of the contents of your registries. 默认情况下,使用服务管理的密钥对数据进行静态加密,但为了满足法规符合性标准,通常需要使用客户管理的密钥。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/acr/CMKLearn more at https://aka.ms/acr/CMK. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.21.1.2
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
SQL 托管实例应使用客户管理的密钥进行静态数据加密SQL managed instances should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
SQL Server 应使用客户管理的密钥进行静态数据加密SQL servers should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
存储帐户应使用客户管理的密钥进行加密Storage accounts should use customer-managed key for encryption 使用客户管理的密钥更灵活地保护存储帐户。Secure your storage account with greater flexibility using customer-managed keys. 指定客户托管密钥时,该密钥用于保护和控制对数据加密密钥的访问。When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. 使用客户管理的密钥可提供附加功能来控制密钥加密密钥的轮换或以加密方式擦除数据。Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit、DisabledAudit, Disabled 1.0.21.0.2
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

资产管理Asset Management

只使用已批准的 Azure 服务Use only approved Azure services

ID:Azure 安全基准 AM-3 所有权:客户ID: Azure Security Benchmark AM-3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

在计算资源中只使用已获批准的应用程序Use only approved applications in compute resources

ID:Azure 安全基准 AM-6 所有权:客户ID: Azure Security Benchmark AM-6 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

日志记录和威胁检测Logging and Threat Detection

为 Azure 资源启用威胁检测Enable threat detection for Azure resources

ID:Azure 安全基准 LT-1 所有权:客户ID: Azure Security Benchmark LT-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3

为 Azure 标识和访问管理启用威胁检测Enable threat detection for Azure identity and access management

ID:Azure 安全基准 LT-2 所有权:客户ID: Azure Security Benchmark LT-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3

为 Azure 网络活动启用日志记录Enable logging for Azure network activities

ID:Azure 安全基准 LT-3 所有权:客户ID: Azure Security Benchmark LT-3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Azure Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Azure Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Azure Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Azure Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

为 Azure 资源启用日志记录Enable logging for Azure resources

ID:Azure 安全基准 LT-4 所有权:共享ID: Azure Security Benchmark LT-4 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用 Azure Data Lake Store 中的资源日志Resource logs in Azure Data Lake Store should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Azure 流分析中的资源日志Resource logs in Azure Stream Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Batch 帐户中的资源日志Resource logs in Batch accounts should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Data Lake Analytics 中的资源日志Resource logs in Data Lake Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用事件中心内的资源日志Resource logs in Event Hub should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Key Vault 中的资源日志Resource logs in Key Vault should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用逻辑应用中的资源日志Resource logs in Logic Apps should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用搜索服务中的资源日志Resource logs in Search services should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用服务总线中的资源日志Resource logs in Service Bus should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用虚拟机规模集中的资源日志Resource logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1

集中安全日志管理和分析Centralize security log management and analysis

ID:Azure 安全基准 LT-5 所有权:客户ID: Azure Security Benchmark LT-5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在计算机上安装来宾配置扩展Guest Configuration extension should be installed on your machines 若要确保安全配置计算机的来宾内设置,请安装来宾配置扩展。To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. 该扩展监视的来宾内设置包括操作系统的配置、应用程序配置或状态以及环境设置。In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. 安装后,来宾内策略将可用,如“应启用 Windows 攻击防护”。Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. 更多信息请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应使用系统分配的托管标识来部署虚拟机的来宾配置扩展Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 来宾配置扩展需要系统分配的托管标识。The Guest Configuration extension requires a system assigned managed identity. 如果安装了来宾配置扩展,但没有系统分配的托管标识,则此策略作用域内的 Azure 虚拟机是不合规的。Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. 有关详细信息,请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1

配置日志存储保留期Configure log storage retention

ID:Azure 安全基准 LT-6 所有权:客户ID: Azure Security Benchmark LT-6 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
对存储帐户目标进行审核的 SQL Server 应配置至少 90 天的保留期SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 为便于调查事件,建议将 SQL Server 审核数据在存储帐户目标中的数据保留期设置为至少 90 天。For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. 确认你遵守所运营区域的必要保留规则。Confirm that you are meeting the necessary retention rules for the regions in which you are operating. 为了符合监管标准,有时需要这样做。This is sometimes required for compliance with regulatory standards. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

事件响应Incident Response

准备 - 设置事件通知Preparation - setup incident notification

ID:Azure 安全基准 IR-2 所有权:客户ID: Azure Security Benchmark IR-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请在安全中心为高严重性警报启用电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 当订阅中存在潜在的安全漏洞时,若要确保订阅所有者收到通知,请在安全中心设置向订阅所有者发送高严重性警报的电子邮件通知。To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
订阅应有一个联系人电子邮件地址,用于接收安全问题通知Subscriptions should have a contact email address for security issues 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请设置一个安全联系人,以接收来自安全中心的电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1

检测和分析 - 根据高质量警报创建事件Detection and analysis - create incidents based on high quality alerts

ID:Azure 安全基准 IR-3 所有权:客户ID: Azure Security Benchmark IR-3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3

检测和分析 - 设置事件优先级Detection and analysis - prioritize incidents

ID:Azure 安全基准 IR-5 所有权:客户ID: Azure Security Benchmark IR-5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3

安全状况和漏洞管理Posture and Vulnerability Management

维护 Azure 服务的安全配置Sustain secure configurations for Azure services

ID:Azure 安全基准 PV-2 所有权:客户ID: Azure Security Benchmark PV-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在群集上安装并启用用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters 用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项扩展了 Gatekeeper v3(用于开放策略代理 (OPA) 的许可控制器 Webhook),以集中、一致的方式在群集上应用大规模强制措施和安全措施。Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit、DisabledAudit, Disabled 1.0.21.0.2
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保 API 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
确保函数应用已启用“客户端证书(传入客户端证书)”Function apps should have 'Client Certificates (Incoming client certificates)' enabled 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients with valid certificates will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.11.0.1
Kubernetes 群集容器 CPU 和内存资源限制不得超过指定的限制Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits 强制实施容器 CPU 和内存资源限制,以防止 Kubernetes 群集中发生资源耗尽攻击。Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 6.0.06.0.0
Kubernetes 群集容器不得共享主机进程 ID 命名空间或主机 IPC 命名空间Kubernetes cluster containers should not share host process ID or host IPC namespace 阻止 Pod 容器在 Kubernetes 群集中共享主机进程 ID 命名空间和主机 IPC 命名空间。Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. 此建议是旨在提高 Kubernetes 环境安全性的 CIS 5.2.2 和 CIS 5.2.3 的一部分。This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集容器应只侦听允许的端口Kubernetes cluster containers should only listen on allowed ports 将容器限制为只侦听允许的端口,以确保对 Kubernetes 群集进行的访问安全。Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 6.1.06.1.0
Kubernetes 群集容器只应使用允许的 AppArmor 配置文件Kubernetes cluster containers should only use allowed AppArmor profiles 容器只应使用 Kubernetes 群集中允许的 AppArmor 配置文件。Containers should only use allowed AppArmor profiles in a Kubernetes cluster. 此建议是旨在提高 Kubernetes 环境安全性的 Pod 安全策略的一部分。This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集容器只应使用允许的功能Kubernetes cluster containers should only use allowed capabilities 限制功能以减小 Kubernetes 群集中容器的受攻击面。Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. 此建议是旨在提高 Kubernetes 环境安全性的 CIS 5.2.8 和 CIS 5.2.9 的一部分。This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集容器应只使用允许的映像Kubernetes cluster containers should only use allowed images 使用受信任注册表中的映像,以降低 Kubernetes 群集暴露于未知漏洞、安全问题和恶意映像的风险。Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 6.1.06.1.0
Kubernetes 群集容器应使用只读根文件系统运行Kubernetes cluster containers should run with a read only root file system 运行使用只读根文件系统的容器,以防止在运行时发生更改而导致恶意二进制文件添加到 Kubernetes 群集中的 PATH。Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集 Pod hostPath 卷只应使用允许的主机路径Kubernetes cluster pod hostPath volumes should only use allowed host paths 仅限将 Pod HostPath 卷装载到 Kubernetes 群集中允许的主机路径。Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. 此建议是旨在提高 Kubernetes 环境安全性的 Pod 安全策略的一部分。This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集 Pod 和容器只应使用批准的用户 ID 和组 ID 运行Kubernetes cluster pods and containers should only run with approved user and group IDs 控制 Pod 和容器可以使用哪些用户、主要组、补充组和文件系统组 ID 在 Kubernetes 群集中运行。Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. 此建议是旨在提高 Kubernetes 环境安全性的 Pod 安全策略的一部分。This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集 Pod 只应使用批准的主机网络和端口范围Kubernetes cluster pods should only use approved host network and port range 限制 Pod 在 Kubernetes 群集中对主机网络和允许的主机端口范围的访问。Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. 此建议是旨在提高 Kubernetes 环境安全性的 CIS 5.2.4 的一部分。This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
Kubernetes 群集服务应只侦听允许的端口Kubernetes cluster services should listen only on allowed ports 将服务限制为只侦听允许的端口,以确保对 Kubernetes 群集进行的访问安全。Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 6.1.06.1.0
Kubernetes 群集不得允许容器特权提升Kubernetes clusters should not allow container privilege escalation 不允许容器使用特权提升运行,从而进入 Kubernetes 群集的根。Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. 此建议是旨在提高 Kubernetes 环境安全性的 CIS 5.2.5 的一部分。This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关详细信息,请参阅 https://aka.ms/kubepolicydocFor more information, see https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 3.0.03.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

维护计算资源的安全配置Sustain secure configurations for compute resources

ID:Azure 安全基准 PV-4 所有权:共享ID: Azure Security Benchmark PV-4 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

执行软件漏洞评估Perform software vulnerability assessments

ID:Azure 安全基准 PV-6 所有权:客户ID: Azure Security Benchmark PV-6 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0
应修正计算机上 SQL 服务器的漏洞Vulnerabilities on your SQL servers on machine should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

快速自动修复软件漏洞Rapidly and automatically remediate software vulnerabilities

ID:Azure 安全基准 PV-7 所有权:客户ID: Azure Security Benchmark PV-7 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
确保用作 API 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the API app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作函数应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 Web 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the API app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 WEB 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the WEB app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the API app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
确保用作 Web 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0

终结点安全性Endpoint Security

使用终结点检测和响应 (EDR)Use Endpoint Detection and Response (EDR)

ID:Azure 安全基准 ES-1 所有权:客户ID: Azure Security Benchmark ES-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3

使用集中管理的新式反恶意软件Use centrally managed modern anti-malware software

ID:Azure 安全基准 ES-2 所有权:客户ID: Azure Security Benchmark ES-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

确保反恶意软件和签名已更新Ensure anti-malware software and signatures are updated

ID:Azure 安全基准 ES-3 所有权:客户ID: Azure Security Benchmark ES-3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

备份和恢复Backup and Recovery

确保定期执行自动备份Ensure regular automated backups

ID:Azure 安全基准 BR-1 所有权:客户ID: Azure Security Benchmark BR-1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 启用 Azure 备份,确保对 Azure 虚拟机提供保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的 Azure 数据保护解决方案。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1

加密备份数据Encrypt backup data

ID:Azure 安全基准 BR-2 所有权:客户ID: Azure Security Benchmark BR-2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 启用 Azure 备份,确保对 Azure 虚拟机提供保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的 Azure 数据保护解决方案。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1

降低丢失密钥的风险Mitigate risk of lost keys

ID:Azure 安全基准 BR-4 所有权:客户ID: Azure Security Benchmark BR-4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
密钥保管库应启用清除保护Key vaults should have purge protection enabled 恶意删除密钥保管库可能会导致永久丢失数据。Malicious deletion of a key vault can lead to permanent data loss. 你组织中的恶意内部人员可能会删除和清除密钥保管库。A malicious insider in your organization can potentially delete and purge key vaults. 清除保护通过强制实施软删除密钥保管库的强制保留期来保护你免受内部攻击。Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. 你的组织或 Azure 内的任何人都无法在软删除保持期内清除你的密钥保管库。No one inside your organization or Azure will be able to purge your key vaults during the soft delete retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
密钥保管库应启用软删除Key vaults should have soft delete enabled 在未启用软删除的情况下删除密钥保管库,将永久删除密钥保管库中存储的所有机密、密钥和证书。Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. 意外删除密钥保管库可能会导致永久丢失数据。Accidental deletion of a key vault can lead to permanent data loss. 软删除允许在可配置的保持期内恢复意外删除的密钥保管库。Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.21.0.2

备注

特定 Azure Policy 定义的可用性在 Azure 中国云和其他国家云中可能会有所不同。Availability of specific Azure Policy definitions may vary in Azure China Cloud and other national clouds.

后续步骤Next steps

有关 Azure Policy 的其他文章:Additional articles about Azure Policy: