Azure 安全基准的 Azure Resource Graph 安全基线Azure Resource Graph security baseline for Azure Security Benchmark

此安全基线将指南从 Azure 安全基准应用到 Azure Resource Graph。This security baseline applies guidance from the Azure Security Benchmark to Azure Resource Graph. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控件”分组,此类控件按适用于 Azure Resource Graph 的 Azure 安全基准和相关的指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Resource Graph. 排除了不适用于 Azure Resource Graph 的控件Controls not applicable to Azure Resource Graph have been excluded. 若要查看 Azure Resource Graph 如何完全映射到 Azure 安全基准,请参阅完整的 Azure 虚拟网络安全基线映射文件To see how Azure Resource Graph completely maps to the Azure Security Benchmark, see the full Azure Virtual Network security baseline mapping file.

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Resource Graph 根据 Azure 基于角色的访问控制 (Azure RBAC) 提供对资源类型和属性的访问权限。Guidance: Azure Resource Graph provides access to resource types and properties based on Azure role-based access control (Azure RBAC). 定期审核并查看授予安全主体(用户、组和服务帐户)的访问权限,以确保查询返回相应资源的结果。Audit and review the access granted to security principals (users, groups, and service accounts) on a regular basis to make sure that queries return results for the appropriate resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.6:使用基于角色的访问控制来控制对资源的访问4.6: Use Role-based access control to control access to resources

指导:使用基于角色的访问控制 (RBAC) 来控制对数据和资源的访问。Guidance: Use role-based access control (RBAC) to control access to data and resources. 若要使用 Azure Resource Graph,你还必须拥有对想要查询的资源的相应权限。To use Azure Resource Graph, you must also have appropriate access to the resources you want to query. 此访问权限应该限制为只读,并且只应授予所需人员。This access should be scoped to read only and be only granted to required personnel.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询和发现订阅、管理组和租户中所有受支持的资源。Guidance: Use Azure Resource Graph to query and discover all supported resources within your subscriptions, management groups, and tenants. 确保你在租户中拥有适当的权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指导:根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs. 使用 Azure Resource Graph 查询已获批 Azure 资源和更改历史记录(预览版),以查看快照和查看更改的内容。Use Azure Resource Graph to query for approved Azure resources and Change History (preview) to review snapshots and see what changed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Resource Graph 查询和发现订阅、管理组和租户中的资源。Guidance: Use Azure Resource Graph to query and discover resources in your subscriptions, management groups, and tenants. 确保环境中的所有 Azure 资源已获批准。Make sure that all Azure resources in the environment are approved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

后续步骤Next steps