Azure Policy 内置策略定义Azure Policy built-in policy definitions

此页是 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions.

每个内置链接(指向Azure 门户中的策略定义)的名称。The name of each built-in links to the policy definition in Azure portal. 使用“源”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Source column to view the source on the Azure Policy GitHub repo. 这些内置项按元数据中的 category 属性进行分组。The built-ins are grouped by the category property in metadata. 若要跳转到特定的类别,请使用页面右侧的菜单。To jump to a specific category, use the menu on the right side of the page. 否则,请按 Ctrl-F 来使用浏览器的搜索功能。Otherwise, use Ctrl-F to use your browser's search feature.

API 管理API Management

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
API 管理服务应使用虚拟网络API Management services should use a virtual network 应启用指定 SKU 的 API 管理服务上的虚拟网络。Virtual network on API Management services of the specified SKU should be enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0

应用服务App Service

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 API 应用上启用身份验证Authentication should be enabled on your API app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问 API 应用,或在令牌访问 API 应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用上启用身份验证Authentication should be enabled on your Function app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问函数应用,或在令牌访问函数应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用上启用身份验证Authentication should be enabled on your web app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问 Web 应用,或在令牌访问 Web 应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保 API 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
确保函数应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
确保用于运行 API 应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Api app 我们定期发布适用于 HTTP 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. 使用 Web 应用的最新 HTTP 版本可以利用更高版本的安全修复(如果有)和/或新功能。Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用于运行函数应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Function app 我们定期发布适用于 HTTP 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. 使用 Web 应用的最新 HTTP 版本可以利用更高版本的安全修复(如果有)和/或新功能。Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用于运行 Web 应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Web app 我们定期发布适用于 HTTP 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. 使用 Web 应用的最新 HTTP 版本可以利用更高版本的安全修复(如果有)和/或新功能。Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.1.01.1.0
确保用作 API 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Api app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作函数应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
确保用作 Web 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作 API 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the Api app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作 WEB 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the WEB app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作 API 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Api app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作函数应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Function app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保用作 Web 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

自动化Automation

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0

备份Backup

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 通过启用 Azure 备份,确保对 Azure 虚拟机进行保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的数据保护解决方案,适用于 Azure。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1

BatchBatch

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应针对 Batch 帐户配置指标警报规则Metric alert rules should be configured on Batch accounts 审核是否已针对 Batch 帐户配置指标警报规则,以启用所需指标Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

缓存Cache

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Azure Cache for Redis 应驻留在虚拟网络中Azure Cache for Redis should reside within a virtual network Azure Cache for Redis 能够驻留在虚拟网络中,这样资源就可以包含由用户控制和管理的非公共终结点。Azure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
只能与 Azure Cache for Redis 建立安全连接Only secure connections to your Azure Cache for Redis should be enabled 审核是否仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Audit enabling of only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

认知服务Cognitive Services

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
认知服务帐户应启用数据加密Cognitive Services accounts should enable data encryption 此策略审核未使用数据加密的任何认知服务帐户。This policy audits any Cognitive Services account not using data encryption. 对于具有存储的各个认知服务帐户,应启用使用客户托管密钥或 Microsoft 管理密钥的数据加密。For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
认知服务帐户应启用使用客户管理密钥的数据加密Cognitive Services accounts should enable data encryption with customer-managed key 客户管理的密钥可便于管理存储在认知服务中的数据的加密密钥,从而提供增强的数据保护。Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. 这通常是满足合规性要求所必需的。This is often required to meet compliance requirements. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
认知服务帐户应限制网络访问Cognitive Services accounts should restrict network access 应限制对认知服务帐户的网络访问。Network access to Cognitive Services accounts should be restricted. 配置网络规则,使只有来自允许的网络的应用程序才能访问认知服务帐户。Configure network rules so only applications from allowed networks can access the Cognitive Services account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限。To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
认知服务帐户应使用客户自有存储Cognitive Services accounts should use customer owned storage 此策略审核未使用客户自有存储的任何认知服务帐户。This policy audits any Cognitive Services account not using customer owned storage. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
认知服务帐户应使用客户自有存储或启用数据加密。Cognitive Services accounts should use customer owned storage or enable data encryption. 此策略审核未使用客户自有存储或数据加密的任何认知服务帐户。This policy audits any Cognitive Services account not using customer owned storage nor data encryption. 对于具有存储的各个认知服务帐户,应使用客户自有存储或启用数据加密。For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应为认知服务帐户禁用公用网络访问Public network access should be disabled for Cognitive Services accounts 此策略审核你的环境中启用了公用网络访问的任何认知服务帐户。This policy audits any Cognitive Services account in your environment with public network access enabled. 应禁用公用网络访问,仅允许来自专用终结点的连接。Public network access should be disabled so that only connections from private endpoints are allowed. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

计算Compute

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
允许的虚拟机大小 SKUAllowed virtual machine size SKUs 此策略可便于指定组织可部署的一组虚拟机大小 SKU。This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. 拒绝Deny 1.0.11.0.1
审核未配置灾难恢复的虚拟机Audit virtual machines without disaster recovery configured 审核未配置灾难恢复的虚拟机。Audit virtual machines which do not have disaster recovery configured. 若要详细了解灾难恢复,请访问 https://docs.azure.cn/site-recovery/To learn more about disaster recovery, visit https://docs.azure.cn/site-recovery/. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未使用托管磁盘的 VMAudit VMs that do not use managed disks 此策略审核未使用托管磁盘的 VMThis policy audits VMs that do not use managed disks 审核audit 1.0.01.0.0
为 Windows Server 部署默认 Microsoft IaaSAntimalware 扩展Deploy default Microsoft IaaSAntimalware extension for Windows Server 如果 VM 未配置反恶意软件扩展,则此策略部署使用默认配置的 Microsoft IaaSAntimalware 扩展。This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
应当启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Microsoft Antimalware for Azure 应配置为自动更新保护签名Microsoft Antimalware for Azure should be configured to automatically update protection signatures 此策略会审核所有未配置自动更新 Microsoft Antimalware 保护签名的 Windows 虚拟机。This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Windows Server 上部署 Microsoft IaaSAntimalware 扩展Microsoft IaaSAntimalware extension should be deployed on Windows servers 此策略会审核所有未部署 Microsoft IaaSAntimalware 扩展的 Windows Server VM。This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应当仅安装已批准的 VM 扩展Only approved VM extensions should be installed 此策略约束未获批准的虚拟机扩展。This policy governs the virtual machine extensions that are not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
要求自动在虚拟机规模集上执行 OS 映像修补Require automatic OS image patching on Virtual Machine Scale Sets 该策略可强制启用虚拟机规模集上的自动 OS 映像修补程序,以便通过应用每月的最新安全修补程序始终确保虚拟机安全。This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. denydeny 1.0.01.0.0
应当加密未附加的磁盘Unattached disks should be encrypted 此策略会审核未启用加密的所有未附加磁盘。This policy audits any unattached disk without encryption enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

容器注册表Container Registry

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
容器注册表应使用客户托管密钥 (CMK) 进行加密Container registries should be encrypted with a customer-managed key (CMK) 审核未通过客户管理的密钥 (CMK) 启用加密的容器注册表。Audit container registries that do not have encryption enabled with customer-managed keys (CMK). Azure 会自动用服务管理的密钥来加密静态注册表内容。Azure automatically encrypts registry contents at rest with service-managed keys. 可以使用在 Azure Key Vault 中创建和管理的密钥,通过一个附加的加密层来补充默认加密。You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. 有关 CMK 加密的详细信息,请访问:https://docs.azure.cn/container-registry/container-registry-customer-managed-keysFor more information on CMK encryption, please visit: https://docs.azure.cn/container-registry/container-registry-customer-managed-keys. Audit、DisabledAudit, Disabled 1.0.01.0.0
容器注册表不得允许无限制的网络访问Container registries should not allow unrestricted network access 审核容器注册表,这些注册表默认情况下未配置任何网络或防火墙 (IP) 规则,因此允许所有网络访问。Audit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. 限制网络访问可防止容器注册表出现潜在的威胁。Restricting network access protects container registries from potential threats. 如果容器注册表至少有一个 IP/防火墙规则或配置了虚拟网络,则会将其视为合规。Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. 有关 Azure 容器注册表网络规则的详细信息,请访问:https://docs.azure.cn/container-registry/container-registry-access-selected-networkshttps://docs.azure.cn/container-registry/container-registry-vnetFor more information on Container Registry network rules, visit: https://docs.azure.cn/container-registry/container-registry-access-selected-networks and https://docs.azure.cn/container-registry/container-registry-vnet. Audit、DisabledAudit, Disabled 1.0.01.0.0

事件中心Event Hub

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应从事件中心命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace 服务中心客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 为了与最低权限安全模型保持一致,应在实体级别为队列和主题创建访问策略,以便仅提供对特定实体的访问权限To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
应针对事件中心实例定义授权规则Authorization rules on the Event Hub instance should be defined 审核是否存在针对事件中心实体的授权规则,以便授予最低权限访问权限Audit existence of authorization rules on Event Hub entities to grant least-privileged access AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

常规General

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
允许的位置Allowed locations 通过此策略,可限制组织在部署资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. 排除资源组、Microsoft.AzureActiveDirectory/b2cDirectories 以及使用“全局”区域的资源。Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. denydeny 1.0.01.0.0
允许的资源组位置Allowed locations for resource groups 通过此策略,可限制组织可以创建资源组的位置。This policy enables you to restrict the locations your organization can create resource groups in. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. denydeny 1.0.01.0.0
允许的资源类型Allowed resource types 此策略可用于指定组织可以部署的资源类型。This policy enables you to specify the resource types that your organization can deploy. 只有支持“tags”和“location”的资源类型才会受此策略影响。Only resource types that support 'tags' and 'location' will be affected by this policy. 若要限制所有资源,请复制此策略并将“mode”更改为“All”。To restrict all resources please duplicate this policy and change the 'mode' to 'All'. denydeny 1.0.01.0.0
审核资源位置是否匹配资源组位置Audit resource location matches resource group location 审核资源位置是否与其资源组位置匹配。Audit that the resource location matches its resource group location 审核audit 2.0.02.0.0
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
不应存在自定义订阅所有者角色Custom subscription owner roles should not exist 此策略确保不存在自定义订阅所有者角色。This policy ensures that no custom subscription owner roles exist. Audit、DisabledAudit, Disabled 2.0.02.0.0
不允许的资源类型Not allowed resource types 此策略可用于指定组织无法部署的资源类型。This policy enables you to specify the resource types that your organization cannot deploy. 拒绝Deny 1.0.01.0.0

密钥保管库Key Vault

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
将 Key Vault 的诊断设置部署到事件中心Deploy Diagnostic Settings for Key Vault to Event Hub 创建或更新缺少此诊断设置的任何 Key Vault 时,部署 Key Vault 的诊断设置,以便流式传输到区域事件中心。Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. deployIfNotExistsdeployIfNotExists 2.0.02.0.0
应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
密钥保管库对象应可恢复Key Vault objects should be recoverable 此策略审核密钥保管库对象是否不可恢复。This policy audits if key vault objects are not recoverable. 软删除功能有助于在给定的保留期(90 天)内有效地保留资源,即使在 DELETE 操作之后也是如此,同时提供对象已被删除的外观。Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. 启用“清除保护”后,在长达 90 天的保留期到期之前,不能清除处于已删除状态的保管库或对象。When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. 这些保管库和对象仍然可以恢复,从而向客户保证将遵循保留策略。These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit、DisabledAudit, Disabled 1.0.01.0.0

逻辑应用Logic Apps

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

监视Monitoring

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:审核 Log Analytics 代理部署 - VM 映像 (OS) 未列出[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview
活动日志至少应保留一年Activity log should be retained for at least one year 此策略审核活动日志的保留期是否未设置为365 天或永久(保留天数设置为 0)。This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 此策略审核未配置任何活动日志警报的特定管理操作。This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
特定策略操作应有活动日志警报An activity log alert should exist for specific Policy operations 此策略审核未配置任何活动日志警报的特定策略操作。This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 此策略审核未配置任何活动日志警报的特定安全操作。This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核虚拟机规模集中的 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核诊断设置Audit diagnostic setting 审核所选资源类型的诊断设置。Audit diagnostic setting for selected resource types AuditIfNotExistsAuditIfNotExists 1.0.01.0.0
审核虚拟机规模集中的 Log Analytics 代理部署 - VM 映像 (OS) 未列出Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核 VM 的 Log Analytics 工作区 — 报告不匹配Audit Log Analytics workspace for VM - Report Mismatch 如果 VM 未记录到策略/计划分配中指定的 Log Analytics 工作区,则将 VM 报告为“不合规”。Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. 审核audit 1.0.11.0.1
Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 此策略可确保日志配置文件收集类别为 "write"、"delete" 和 "action" 的日志This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
必须部署 Azure Monitor 解决方案“安全和审核”Azure Monitor solution 'Security and Audit' must be deployed 此策略可确保“安全和审核”已部署。This policy ensures that Security and Audit is deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure 订阅应有用于活动日志的日志配置文件Azure subscriptions should have a log profile for Activity Log 此策略确保启用一个日志配置文件来导出活动日志。This policy ensures if a log profile is enabled for exporting activity logs. 它会审核是否未创建日志配置文件将日志导出到存储帐户或事件中心。It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
为 Linux 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Linux 虚拟机部署 Dependency AgentDeploy Dependency agent for Linux virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Linux 虚拟机部署 Dependency Agent。Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机部署 Dependency AgentDeploy Dependency agent for Windows virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Windows 虚拟机部署 Dependency Agent。Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
将 Batch 帐户的诊断设置部署到事件中心Deploy Diagnostic Settings for Batch Account to Event Hub 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Batch 帐户的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Batch Account to Log Analytics workspace 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将 Data Lake Analytics 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Analytics to Event Hub 在创建或更新缺少 Data Lake Analytics 的诊断设置的任何 Data Lake Analytics 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Data Lake Analytics 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Analytics 时,部署 Data Lake Analytics 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将 Data Lake Storage Gen1 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub 在创建或更新缺少 Data Lake Storage Gen1 的诊断设置的任何 Data Lake Storage Gen1 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Data Lake Storage Gen1 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Storage Gen1 时,部署 Data Lake Storage Gen1 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将事件中心的诊断设置部署到事件中心Deploy Diagnostic Settings for Event Hub to Event Hub 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.1.02.1.0
将事件中心的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Event Hub to Log Analytics workspace 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.1.01.1.0
将 Key Vault 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Key Vault to Log Analytics workspace 在创建或更新缺少 Key Vault 的诊断设置的 Key Vault 时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将逻辑应用的诊断设置部署到事件中心Deploy Diagnostic Settings for Logic Apps to Event Hub 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将逻辑应用的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
为网络安全组部署诊断设置Deploy Diagnostic Settings for Network Security Groups 此策略自动将诊断设置部署到网络安全组。This policy automatically deploys diagnostic settings to network security groups. 将自动创建名为“{storagePrefixParameter}{NSGLocation}”的存储帐户。A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
将搜索服务的诊断设置部署到事件中心Deploy Diagnostic Settings for Search Services to Event Hub 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将搜索服务的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Search Services to Log Analytics workspace 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将服务总线的诊断设置部署到事件中心Deploy Diagnostic Settings for Service Bus to Event Hub 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将服务总线的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Service Bus to Log Analytics workspace 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将流分析的诊断设置部署到事件中心Deploy Diagnostic Settings for Stream Analytics to Event Hub 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将流分析的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
为 Linux 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,则需要通过对规模集调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Linux VM 部署 Log Analytics 代理Deploy Log Analytics agent for Linux VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“手动”,则需要通过对 VM 调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows VM 部署 Log Analytics 代理Deploy Log Analytics agent for Windows VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
必须使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密Storage account containing the container with activity logs must be encrypted with BYOK 此策略审核是否已使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密。This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. 仅当存储帐户在设计上依赖于与活动日志相同的订阅时,此策略才起作用。The policy works only if the storage account lies on the same subscription as activity logs by design. 有关 Azure 存储静态加密的详细信息,请参阅 https://docs.azure.cn/storage/common/storage-encryption-keys-portalMore information on Azure Storage encryption at rest can be found here https://docs.azure.cn/storage/common/storage-encryption-keys-portal. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

网络Network

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
必须将自定义 IPsec/IKE 策略应用到所有 Azure 虚拟网络网关连接A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections 此策略可确保所有 Azure 虚拟网络网关连接均使用自定义 Internet 协议安全 (Ipsec)/Internet 密钥交换 (IKE) 策略。This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. 支持的算法和密钥强度 - https://docs.azure.cn/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policySupported algorithms and key strengths - https://docs.azure.cn/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policy Audit、DisabledAudit, Disabled 1.0.01.0.0
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure VPN 网关不应使用“基本”SKUAzure VPN gateways should not use 'basic' SKU 此策略可确保 VPN 网关不使用“基本”SKU。This policy ensures that VPN gateways do not use 'basic' SKU. Audit、DisabledAudit, Disabled 1.0.01.0.0
容器注册表应使用虚拟网络服务终结点Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
使用目标网络安全组来部署流日志资源Deploy a flow log resource with target network security group 配置特定网络安全组的流日志。Configures flow log for specific network security group. 使用流日志,可以记录有关流经网络安全组的 IP 流量的信息。It will allow to log information about IP traffic flowing through an network security group. 流日志有助于识别未知或不需要的流量、验证网络隔离以及是否符合企业访问规则,并分析来自已被入侵的 IP 和网络接口的网络流量。Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
创建虚拟网络时部署网络观察程序Deploy network watcher when virtual networks are created 此策略在具有虚拟网络的区域中创建网络观察程序资源。This policy creates a network watcher resource in regions with virtual networks. 需确保存在名为 networkWatcherRG 的资源组,该资源组用于部署网络观察程序实例。You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的事件中心。This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为每个网络安全组配置流日志Flow log should be configured for every network security group 审核网络安全组,验证是否配置了流日志资源。Audit for network security groups to verify if flow log resource is configured. 使用流日志,可以记录有关流经网络安全组的 IP 流量的信息。Flow log allows to log information about IP traffic flowing through network security group. 该功能可用于优化网络流、监视吞吐量、验证合规性、检测入侵情况等。It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. 审核audit 1.0.01.0.0
不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 如果在网关子网中配置了网络安全组,则此策略会拒绝此配置。This policy denies if a gateway subnet is configured with a network security group. 将网络安全组分配到网关子网会导致网关停止运行。Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. denydeny 1.0.01.0.0
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
网络接口应禁用 IP 转发Network interfaces should disable IP forwarding 此策略拒绝启用了 IP 转发的网络接口。This policy denies the network interfaces which enabled IP forwarding. IP 转发设置会禁止 Azure 在源和目标中检查网络接口。The setting of IP forwarding disables Azure's check of the source and destination for a network interface. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0
网络接口不应使用公共 IPNetwork interfaces should not have public IPs 此策略拒绝配置了任何公共 IP 的网络接口。This policy denies the network interfaces which are configured with any public IP. 公共 IP 地址允许 Internet 资源以入站方式与 Azure 资源通信,并允许 Azure 资源以出站方式与 Internet 通信。Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExistsauditIfNotExists 1.0.01.0.0
应阻止来自 Internet 的 RDP 访问RDP access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 RDP 访问的网络安全规则This policy audits any network security rule that allows RDP access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应阻止来自 Internet 的 SSH 访问SSH access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 SSH 访问的网络安全规则This policy audits any network security rule that allows SSH access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0
存储帐户应使用虚拟网络服务终结点Storage Accounts should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的存储帐户。This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

安全中心Security Center

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议将 Pod 安全策略配置为仅允许 Pod 访问它们有权访问的资源。It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应为订阅提供安全联系人电子邮件地址A security contact email address should be provided for your subscription 输入电子邮件地址,以便在 Azure 安全中心检测到资源泄露时接收通知Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为订阅提供安全联系人电话号码A security contact phone number should be provided for your subscription 输入电话号码,以便在 Azure 安全中心检测到资源泄露情况时收到通知Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers 高级数据安全提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机上启用高级威胁防护Advanced threat protection should be enabled on Virtual Machines 高级威胁防护可为虚拟机工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
应该对订阅启用 Log Analytics 监视代理的自动预配Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription 启用 Log Analytics 监视代理的自动预配,以便收集安全数据Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 启用向安全联系人发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. 这可以确保适当的人员能够意识到任何潜在安全问题,并降低风险This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 启用向订阅所有者发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. 这可以确保他们意识到任何潜在安全问题,并及时降低风险This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
在订阅中启用 Azure 安全中心Enable Azure Security Center on your subscription 识别不受 Azure 安全中心 (ASC) 监视的现有订阅。Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). 不受 ASC 监视的订阅将注册到免费定价层。Subscriptions not monitored by ASC will be registered to the free pricing tier. 已由 ASC 监视的订阅(免费或标准层)被视为合规。Subscriptions already monitored by ASC (free or standard), will be considered compliant. 若要注册新建的订阅,请打开合规性选项卡,选择相关的不合规分配,并创建修正任务。To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. 需要使用安全中心监视一个或多个新订阅时,请重复此步骤。Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含自定义工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用自定义工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含默认工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用 ASC 默认工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2
应选择安全中心标准定价层Security Center standard pricing tier should be selected 标准定价层为网络和虚拟机启用威胁检测,在 Azure 安全中心提供威胁情报、异常检测和行为分析The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit、DisabledAudit, Disabled 1.0.01.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of management certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响。To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修正 Azure 容器注册表映像中的漏洞Vulnerabilities in Azure Container Registry images should be remediated 容器映像漏洞评估功能会扫描注册表中每个推送的容器映像上的安全漏洞,并显示每个映像的详细发现结果(由 Qualys 支持)。Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). 修复这些漏洞可以极大改善容器的安全状况,并保护其不受攻击影响。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

服务总线Service Bus

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应从服务总线命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace 服务总线客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 为了与最低权限安全模型保持一致,应在实体级别为队列和主题创建访问策略,以便仅提供对特定实体的访问权限To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

Service FabricService Fabric

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0

SQLSQL

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure SQL 数据库的最低 TLS 版本应为 1.2Azure SQL Database should have the minimal TLS version of 1.2 将最低 TLS 版本设置为 1.2 可以确保只能从使用 TLS 1.2 的客户端访问 Azure SQL 数据库,从而提高安全性。Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. 不建议使用低于 1.2 的 TLS 版本,因为它们存在有据可查的安全漏洞。Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 PostgreSQL 数据库服务器启用连接限制Connection throttling should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用连接限制的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. 无效密码登录失败次数过多时,可以使用此设置来按 IP 限制临时连接。This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
在 SQL 服务器上部署高级数据安全Deploy Advanced Data Security on SQL servers 此策略在 SQL 服务器上启用高级数据安全性。This policy enables Advanced Data Security on SQL Servers. 这包括启用威胁检测和漏洞评估。This includes turning on Threat Detection and Vulnerability Assessment. 它自动在 SQL 服务器所在的同一区域和资源组中,创建一个带有“sqlva”前缀存储帐户用于存储扫描结果。It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
对 SQL 服务器部署审核Deploy Auditing on SQL servers 此策略确保在 SQL 服务器上启用审核,以增强安全性与合规性。This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. 它自动在 SQL 服务器所在的同一区域中创建一个存储帐户用于存储审核记录。It will automatically create a storage account in the same region as the SQL server to store audit records. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
将 Azure SQL 数据库的诊断设置部署到事件中心Deploy Diagnostic Settings for Azure SQL Database to Event Hub 在创建或更新缺少 Azure SQL 数据库的诊断设置的 Azure SQL 数据库时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExistsDeployIfNotExists 1.1.01.1.0
部署 SQL DB 透明数据加密Deploy SQL DB transparent data encryption 在 SQL 数据库上启用透明数据加密Enables transparent data encryption on SQL databases DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
在 SQL 服务器上部署威胁检测Deploy Threat Detection on SQL servers 此策略可确保在 SQL 服务器上启用威胁检测。This policy ensures that Threat Detection is enabled on SQL Servers. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
应为 PostgreSQL 数据库服务器记录断开连接Disconnections should be logged for PostgreSQL database servers. 此策略帮助审核环境中任何未启用 log_disconnections 的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers 此策略审核不强制 SSL 连接的任何 MySQL 服务器。This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 此策略审核不强制 SSL 连接的任何 PostgreSQL 服务器。This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL 倾向于使用安全套接字层 (SSL) 将客户端应用程序连接到 PostgreSQL 服务。Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 此策略将审核未启用异地冗余备份的任何 Azure Database for MariaDB。This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 此策略将审核未启用异地冗余备份的任何 Azure Database for MySQL。This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 此策略将审核未启用异地冗余备份的任何 Azure Database for PostgreSQL。This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 PostgreSQL 数据库服务器启用“记录检查点”Log checkpoints should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_checkpoints 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 PostgreSQL 数据库服务器启用“记录连接”Log connections should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_connections 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 PostgreSQL 数据库服务器启用“记录持续时间”Log duration should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_duration 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
MariaDB 服务器应使用虚拟网络服务终结点MariaDB server should use a virtual network service endpoint 此策略审核未配置为使用虚拟网络服务终结点的 MariaDB 服务器。This policy audits MariaDB servers not configured to use a virtual network service endpoint. 有关更多详细信息,请访问 https://docs.azure.cn/mariadb/concepts-data-access-security-vnetFor more details, visit https://docs.azure.cn/mariadb/concepts-data-access-security-vnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
MySQL 服务器应使用虚拟网络服务终结点MySQL server should use a virtual network service endpoint 此策略审核未配置为使用虚拟网络服务终结点的 MySQL 服务器。This policy audits MySQL servers not configured to use a virtual network service endpoint. 有关更多详细信息,请访问 https://docs.azure.cn/mysql/concepts-data-access-and-security-vnetFor more details, visit https://docs.azure.cn/mysql/concepts-data-access-and-security-vnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
PostgreSQL 服务器应使用虚拟网络服务终结点PostgreSQL server should use a virtual network service endpoint 此策略审核未配置为使用虚拟网络服务终结点的 PostgreSQL 服务器。This policy audits PostgreSQL servers not configured to use a virtual network service endpoint. 有关更多详细信息,请访问 https://docs.azure.cn/postgresql/concepts-data-access-and-security-vnetFor more details, visit https://docs.azure.cn/postgresql/concepts-data-access-and-security-vnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities AuditActionsAndGroups 属性应至少包含 SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP、BATCH_COMPLETED_GROUP 以确保全面审核日志记录The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL 数据库应避免使用 GRS 备份冗余SQL Database should avoid using GRS backup redundancy 如果数据驻留规则要求数据驻留在特定区域内,那么数据库应避免使用 GRS 存储进行备份。Databases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. 拒绝、已禁用Deny, Disabled 1.0.01.0.0
SQL 托管实例的最低 TLS 版本应为 1.2SQL Managed Instance should have the minimal TLS version of 1.2 将最低 TLS 版本设置为 1.2 可以确保只能从使用 TLS 1.2 的客户端访问 SQL 托管实例,从而提高安全性。Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. 不建议使用低于 1.2 的 TLS 版本,因为它们存在有据可查的安全漏洞。Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Audit、DisabledAudit, Disabled 1.0.01.0.0
应使用自己的密钥加密 SQL 托管实例的 TDE 保护程序SQL Managed Instance TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
SQL 托管实例应避免使用 GRS 备份冗余SQL Managed Instances should avoid using GRS backup redundancy 如果数据驻留规则要求数据驻留在特定区域内,那么托管实例应避免使用 GRS 存储进行备份。Managed Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. 拒绝、已禁用Deny, Disabled 1.0.01.0.0
应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure SQL 数据库上的虚拟网络防火墙规则,以允许来自指定子网的流量Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet 基于虚拟网络的防火墙规则用于支持从特定子网到 Azure SQL 数据库的流量,同时确保流量停留在 Azure 边界内。Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. AuditIfNotExistsAuditIfNotExists 1.0.01.0.0
SQL 服务器的漏洞评估设置应包含用来接收扫描报告的电子邮件地址Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 确保为漏洞评估设置中的“将扫描报告发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. 在 SQL 服务器上运行定期扫描后,此电子邮件地址将收到扫描结果摘要。This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

存储Storage

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
允许的存储帐户 SKUAllowed storage account SKUs 此策略可用于指定组织可部署的一组存储帐户 SKU。This policy enables you to specify a set of storage account SKUs that your organization can deploy. 拒绝Deny 1.0.01.0.0
应为存储帐户启用异地冗余存储Geo-redundant storage should be enabled for Storage Accounts 此策略将审核未启用异地冗余存储的任何存储帐户。This policy audits any Storage Account with geo-redundant storage not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
存储帐户应使用专用链接连接Storage account should use a private link connection 专用链接通过与存储帐户建立专用连接来强制实施安全通信Private links enforce secure communication, by providing private connectivity to the storage account AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
存储帐户应使用客户管理的密钥进行加密Storage account should use customer-managed key for encryption 使用客户管理的密钥 (CMK) 更灵活地保护存储帐户。Secure your storage account with greater flexibility using customer-managed keys (CMKs). 指定 CMK 时,该密钥会用于保护和控制对加密数据的密钥的访问。When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. 使用 CMK 可提供附加功能来控制密钥加密密钥的轮换或以加密方式擦除数据。Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit、DisabledAudit, Disabled 1.0.01.0.0
存储帐户应允许从受信任的 Microsoft 服务进行访问Storage accounts should allow access from trusted Microsoft services 某些与存储帐户交互的 Microsoft 服务在网络上运行,但这些网络无法通过网络规则获得访问权限。Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. 若要帮助此类服务按预期方式工作,请允许受信任的 Microsoft 服务集绕过网络规则。To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. 这些服务随后会使用强身份验证访问存储帐户。These services will then use strong authentication to access the storage account. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
存储帐户应使用虚拟网络规则来限制网络访问Storage accounts should restrict network access using virtual network rules 使用虚拟网络规则作为首选方法(而不使用基于 IP 的筛选),保护存储帐户免受潜在威胁危害。Protect your storage accounts from potential threats using virtual network rules as a preferred method to IP-based filtering. 禁止基于 IP 的筛选可以阻止公共 IP 访问你的存储帐户。Disallowing IP-based filtering prevents public IPs from accessing your storage accounts. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

流分析Stream Analytics

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

TagsTags

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
将标记添加到资源组Add a tag to resource groups 创建或更新任何缺少此标记的资源组时添加指定的标记和值。Adds the specified tag and value when any resource group missing this tag is created or updated. 可以通过触发修正任务来修正现有资源组。Existing resource groups can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
将标记添加到资源Add a tag to resources 创建或更新任何缺少此标记的资源时添加指定的标记和值。Adds the specified tag and value when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. 而不会修改资源组上的标记。Does not modify tags on resource groups. modifymodify 1.0.01.0.0
在资源组中添加或替换标记Add or replace a tag on resource groups 创建或更新任何资源组时添加或替换指定的标记和值。Adds or replaces the specified tag and value when any resource group is created or updated. 可以通过触发修正任务来修正现有资源组。Existing resource groups can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
在资源中添加或替换标记Add or replace a tag on resources 创建或更新任何资源时添加或替换指定的标记和值。Adds or replaces the specified tag and value when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 而不会修改资源组上的标记。Does not modify tags on resource groups. modifymodify 1.0.01.0.0
追加资源组的标记及其值Append a tag and its value from the resource group 创建或更新任何缺少此标记的资源时,从资源组追加指定的标记及其值。Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.01.0.0
将标记及其值追加到资源组Append a tag and its value to resource groups 创建或更新任何缺少此标记的资源组时追加指定的标记和值。Appends the specified tag and value when any resource group which is missing this tag is created or updated. 在更改这些资源组之前,请不要修改应用此策略之前创建的资源组的标记。Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.01.0.0
将标记及其值追加到资源Append a tag and its value to resources 创建或更新任何缺少此标记的资源时追加指定的标记和值。Appends the specified tag and value when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 不要应用到资源组。Does not apply to resource groups. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.11.0.1
从资源组继承标记Inherit a tag from the resource group 创建或更新任何资源时,添加或替换父资源组中指定的标记和值。Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
从资源组继承标记(如果缺少此标记)Inherit a tag from the resource group if missing 创建或更新任何缺少此标记的资源时,从父资源组添加指定的标记及其值。Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
从订阅继承标记Inherit a tag from the subscription 创建或更新任何资源时,添加或替换包含订阅中指定的标记和值。Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
从订阅继承标记(如果缺少)Inherit a tag from the subscription if missing 创建或更新任何缺少此标记的资源时,从包含订阅添加指定的标记及其值。Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
需要资源组上的标记及其值Require a tag and its value on resource groups 强制要求资源组中存在所需的标记及其值。Enforces a required tag and its value on resource groups. denydeny 1.0.01.0.0
需要资源上的标记及其值Require a tag and its value on resources 强制执行所需的标记及其值。Enforces a required tag and its value. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.11.0.1
需要资源组上的标记Require a tag on resource groups 强制要求资源组中存在某个标记。Enforces existence of a tag on resource groups. denydeny 1.0.01.0.0
需要资源上的标记Require a tag on resources 强制要求存在某个标记。Enforces existence of a tag. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.11.0.1

后续步骤Next steps