Key Vault 的 Azure 安全基线Azure Security Baseline for Key Vault

Key Vault 的 Azure 安全基线包含可帮助你改善部署安全态势的建议。The Azure Security Baseline for Key Vault contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:将 Azure Key Vault 与 Azure 专用链接集成。Guidance: Integrate Azure Key Vault with Azure Private Link.

使用 Azure 专用链接服务,可通过虚拟网络中的专用终结点访问 Azure 服务(例如 Azure Key Vault)和 Azure 托管的客户服务/合作伙伴服务。Azure Private Link Service enables you to access Azure Services (for example, Azure Key Vault) and Azure hosted customer/partner services over an Private Endpoint in your virtual network.

Azure 专用终结点是一个网络接口,可以通过私密且安全的方式将你连接到 Azure 专用链接支持的服务。An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. 专用终结点使用 VNet 中的专用 IP 地址将服务有效接入 VNet 中。The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. 发往服务的所有流量都可以通过专用终结点路由,因此不需要网关、NAT 设备、ExpressRoute 或 VPN 连接或公共 IP 地址。All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. 虚拟网络与服务之间的流量将通过 Microsoft 主干网络,因此不会从公共 Internet 泄露。Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. 可以连接到 Azure 资源的实例,从而获得最高级别的访问控制粒度。You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.

如何将 Key Vault 与 Azure 专用链接集成:How to integrate Key Vault with Azure Private Link:

https://docs.azure.cn/key-vault/private-link-service

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:在 Azure 安全中心,按照网络保护建议来帮助保护 Azure 中配置了 Key Vault 的资源。Guidance: Use Azure Security Center and follow network protection recommendations to help secure your Key Vault-configured resources in Azure.

若要详细了解 Azure 安全中心提供的网络安全性:For more information about the Network Security provided by Azure Security Center:

https://docs.azure.cn/security-center/security-center-network-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:Azure Key Vault 不使用网络安全组 (NSG),也不会捕获 Azure Key Vault 的流日志。Guidance: Azure Key Vault does not use network security groups (NSG) and flow logs for Azure Key Vault are not captured. 相反,使用 Azure 专用链接来保护 Azure Key Vault 资源,并启用诊断设置来记录指标和审核事件。Instead, use Azure Private Link to secure your Azure Key Vault instances and enable diagnostic settings to record metrics and audit events.

将 Key Vault 与 Azure Private Link 集成:Integrate Key Vault with Azure Private Link:

https://docs.azure.cn/key-vault/private-link-service

Azure Key Vault 日志记录: https://docs.azure.cn/key-vault/key-vault-loggingAzure Key Vault logging: https://docs.azure.cn/key-vault/key-vault-logging

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:可通过为 Azure Key Vault 配置高级威胁防护来满足此要求。Guidance: This requirement can be met by configuring advanced threat protection (ATP) for Azure Key Vault. ATP 提供额外一层安全情报。ATP provides an additional layer of security intelligence. 此工具可检测访问或利用 Azure Key Vault 帐户的潜在有害的尝试。This tool detects potentially harmful attempts to access or exploit Azure Key Vault accounts.

Azure 安全中心检测到异常活动时会显示警报。When Azure Security Center detects anomalous activity, it displays alerts. 它还会向订阅管理员发送电子邮件,提供可疑活动的详细信息,以及如何调查和修正已识别威胁的建议。It also emails the subscription administrator with details of the suspicious activity and recommendations for how to investigate and remediate the identified threats.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:对于需要访问 Azure Key Vault 实例的资源,请对 Azure Key Vault 使用 Azure 服务标记来定义网络安全组或 Azure 防火墙上的网络访问控制。Guidance: For resources that need access to your Azure Key Vault instances, use Azure service tags for the Azure Key Vault to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 服务标记概述: https://docs.azure.cn/virtual-network/service-tags-overviewAzure service tags overview: https://docs.azure.cn/virtual-network/service-tags-overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:使用 Azure Policy 为与 Azure Key Vault 实例关联的网络资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for network resources associated with your Azure Key Vault instances with Azure Policy. 在“Microsoft.KeyVault”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Key Vault 实例的网络配置。Use Azure Policy aliases in the "Microsoft.KeyVault" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Key Vault instances. 还可使用与 Azure Key Vault 相关的内置策略定义,例如:You may also make use of built-in policy definitions related to Azure Key Vault, such as:

Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint

教程:创建和管理策略以强制实施合规性:Tutorial: Create and manage policies to enforce compliance:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure Policy 示例: Azure Policy Samples:

https://docs.azure.cn/governance/policy/samples

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 Azure Key Vault 实例的网络安全性和流量流相关的资源使用标记,以提供元数据和逻辑组织。Guidance: Use tags for resources related to network security and traffic flow for your Azure Key Vault instances to provide metadata and logical organization.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

使用标记来整理 Azure 资源:Use tags to organize your Azure resources:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Key Vault 实例相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Key Vault instances. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

查看和检索 Azure 活动日志事件:View and retrieve Azure Activity Log events:

https://docs.azure.cn/azure-monitor/platform/activity-log-view

使用 Azure Monitor 创建、查看和管理活动日志警报:Create, view, and manage activity log alerts by using Azure Monitor:

https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:不适用;Microsoft 会维护 Azure Key Vault 等 Azure 资源的时间源用于日志中的时间戳。Guidance: Not applicable; Microsoft maintains the time source used for Azure resources, such as Azure Key Vault, for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过 Azure Monitor 引入日志来聚合 Azure Key Vault 生成的安全数据。Guidance: Ingest logs via Azure Monitor to aggregate security data generated by Azure Key Vault. 在 Azure Monitor 中,使用 Azure Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Azure Log Analytics workspace to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. 或者,可以启用将数据加入 Azure Sentinel 或第三方 SIEM 的功能。Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure Key Vault 日志记录:Azure Key Vault logging:

https://docs.azure.cn/key-vault/key-vault-logging

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:在 Azure Key Vault 实例上启用诊断设置,来访问审核、安全和诊断日志。Guidance: Enable diagnostic settings on your Azure Key Vault instances for access to audit, security, and diagnostic logs. 活动日志自动可用,包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure Key Vault 日志记录:Azure Key Vault logging:

https://docs.azure.cn/key-vault/key-vault-logging

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,对于用于保存 Azure Key Vault 日志的 Log Analytics 工作区,根据组织的合规性法规设置保持期。Guidance: Within Azure Monitor, for the Log Analytics workspace being used to hold your Azure Key Vault logs, set the retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

更改数据保持期: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-periodChange the data retention period: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视日志中的异常行为,定期审查 Azure Key Vault 保护的资源的结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review results for your Azure Key Vault-protected resources. 使用 Azure Monitor 的 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics workspace to review logs and perform queries on log data. 或者,可以启用数据并将其加入 Azure Sentinel 或第三方 SIEM。Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.

Azure Monitor 中的 Log Analytics 入门:Get started with Log Analytics in Azure Monitor:

https://docs.azure.cn/azure-monitor/log-query/get-started-portal

Azure Monitor 中的日志查询入门:Get started with log queries in Azure Monitor:

https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activity

指导:在 Azure 安全中心,为 Key Vault 启用高级威胁防护 (ATP)。Guidance: In Azure Security Center, enable advanced threat protection (ATP) for Key Vault. 在 Azure Key Vault 中启用诊断设置,并将日志发送到 Log Analytics 工作区。Enable diagnostic settings in Azure Key Vault and send logs to a Log Analytics workspace. 将 Log Analytics 工作区加入 Azure Sentinel,因为它提供了安全业务流程自动化响应 (SOAR) 解决方案。Onboard your Log Analytics workspace to Azure Sentinel as it provides a security orchestration automated response (SOAR) solution. 这样便可以创建 playbook(自动解决方案)并用于修正安全问题。This allows for playbooks (automated solutions) to be created and used to remediate security issues.

在 Azure 安全中心内管理和响应安全警报:Manage and respond to security alerts in Azure Security Center:

https://docs.azure.cn/security-center/security-center-managing-and-responding-alerts

借助 Azure Monitor 警报对事件做出响应:Respond to events with Azure Monitor Alerts:

https://docs.azure.cn/azure-monitor/learn/tutorial-response

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;Azure Key Vault 既不处理也不生成与反恶意软件相关的日志。Guidance: Not applicable; Azure Key Vault does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;Azure Key Vault 既不处理也不生成与 DNS 相关的日志。Guidance: Not applicable; Azure Key Vault does not process or produce DNS related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:维护注册 Azure Active Directory 的应用程序的清单,以及有权访问你的 Azure Key Vault 密钥、机密和证书的所有用户帐户。Guidance: Maintain an inventory of your Azure Active Directory-registered applications, as well as any user accounts that have access to your Azure Key Vault keys, secrets, and certificates. 可使用 Azure 门户或 PowerShell 来查询和协调 Key Vault 访问。You may use either the Azure portal or PowerShell to query and reconcile Key Vault access. 若要在 PowerShell中查看访问权限,请使用以下命令:To view access in PowerShell, use the following command:

(Get-AzResource -ResourceId [KeyVaultResourceID]).Properties.AccessPolicies(Get-AzResource -ResourceId [KeyVaultResourceID]).Properties.AccessPolicies

将应用程序注册到 Azure Active Directory:Registering an application with Azure Active Directory:

https://docs.azure.cn/key-vault/key-vault-manage-with-cli2#registering-an-application-with-azure-active-directory

保护对密钥保管库的访问:Secure access to a key vault:

https://docs.azure.cn/key-vault/key-vault-secure-your-key-vault

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:不适用;Azure Key Vault 没有默认密码的概念,因为身份验证由 Active Directory 提供,由 Azure 基于角色的访问控制 (Azure RBAC) 进行保护。Guidance: Not applicable; Azure Key Vault does not have the concept of default passwords as authentication is provided by Active Directory and secured with Azure role-based access control (Azure RBAC).

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:围绕可访问 Azure Key Vault 实例的专用管理帐户的使用,创建标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts that have access to your Azure Key Vault instances. 使用 Azure 安全中心标识和访问管理(当前为预览版)监视活动管理帐户的数量。Use Azure Security Center Identity and Access Management (currently in preview) to monitor the number of active administrative accounts.

监视标识和访问(预览):Monitor identity and access (preview):

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:将 Azure 服务主体与 AppId、TenantID 和 ClientSecret 一起使用,从而无缝验证你的身份验证,并检索将用于访问你的 Azure Key Vault 机密的令牌。Guidance: Use an Azure service principal in conjunction with the AppId, TenantID, and ClientSecret, to seamlessly authenticate your application and retrieve the token that will be used to access your Azure Key Vault secrets.

使用 .NET 向 Azure Key Vault 进行服务到服务身份验证:Service-to-service authentication to Azure Key Vault using .NET:

https://docs.azure.cn/key-vault/service-to-service-authentication

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory 多重身份验证,并遵循 Azure 安全中心标识和访问管理(当前为预览版)建议,来保护已启用事件中心的资源。Guidance: Enable Azure Active Directory Multi-Factor Authentication and follow Azure Security Center Identity and Access Management (currently in preview) recommendations to help protect your Event Hub-enabled resources.

规划基于云的 Azure AD 多重身份验证部署:Planning a cloud-based Azure AD Multi-Factor Authentication deployment:

https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

监视标识和访问(预览):Monitor identity and access (preview):

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了 Azure AD 多重身份验证 (MFA) 的特权访问工作站 (PAW) 来登录和配置已启用 Key Vault 的资源。Guidance: Use a Privileged Access Workstation (PAW) with Azure AD Multi-Factor Authentication (MFA) configured to log into and configure Key Vault enabled resources.

特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsPrivileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

规划基于云的 Azure AD 多重身份验证部署: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedPlanning a cloud-based Azure AD Multi-Factor Authentication deployment: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure AD 风险检测查看有关风险用户行为的警报和报告。Use Azure AD risk detections to view alerts and reports on risky user behavior. 如需其他日志记录,请将 Azure 安全中心风险检测警报发送到 Azure Monitor 中,并使用操作组配置自定义警报/通知。For additional logging, send Azure Security Center risk detection alerts into Azure Monitor and configure custom alerting/notifications using Action Groups.

为 Azure Key Vault 启用高级威胁防护 (ATP),来针对可疑活动生成警报。Enable advanced threat protection (ATP) for Azure Key Vault to generate alerts for suspicious activity.

部署 Azure AD Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-planDeploy Azure AD Privileged Identity Management (PIM): https://docs.azure.cn/active-directory/privileged-identity-management/pim-deployment-plan

为 Azure Key Vault 设置高级威胁防护(预览): https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction Set up advanced threat protection for Azure Key Vault (preview): https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction

Azure Key Vault 的警报(预览): https://docs.azure.cn/security-center/alerts-reference#alerts-azurekvAlerts for Azure Key Vault (Preview): https://docs.azure.cn/security-center/alerts-reference#alerts-azurekv

在 Azure 门户中创建和管理操作组: https://docs.azure.cn/azure-monitor/platform/action-groupsCreate and manage action groups in the Azure portal: https://docs.azure.cn/azure-monitor/platform/action-groups

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:配置条件访问策略的位置条件,并管理你的命名位置。Guidance: Configure the location condition of a Conditional Access policy and manage your named locations. 使用命名位置可以创建 IP 地址范围或者国家和地区的逻辑分组。With named locations, you can create logical groupings of IP address ranges or countries and regions. 可限制仅限你配置的命名位置可访问 Key Vault 机密等敏感资源。You can restrict access to sensitive resources, such as your Key Vault secrets, to your configured named locations.

Azure Active Directory 条件访问中的位置条件是什么?: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locationsWhat is the location condition in Azure Active Directory Conditional Access?: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locations

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为 Key Vault 等 Azure 资源的中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for Azure resources such as Key Vault. 这样,就可使用 Azure 基于角色的访问控制 (Azure RBAC) 来管理敏感资源。This allows for Azure role-based access control (Azure RBAC) to administrate sensitive resources.

快速入门:在 Azure Active Directory 中创建新租户:Quickstart: Create a new tenant in Azure Active Directory:

https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenant

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:查看 Azure Active Directory (Azure AD) 日志,帮助发现具有 Azure Key Vault 管理角色的过时帐户。Guidance: Review Azure Active Directory (Azure AD) logs to help discover stale accounts with Azure Key Vault administrative roles. 此外,使用 Azure AD 访问评审来高效地管理组成员身份、角色分配,以及对可用于访问 Azure Key Vault 的企业应用程序的访问权限。In addition, use Azure AD access reviews to efficiently manage group memberships, access to enterprise applications that may be used to access Azure Key Vault, and role assignments. 应定期(例如每 90 天一次)评审用户访问权限,以确保正确用户持续拥有访问权限。User access should be reviewed on a regular basis such as every 90 days to make sure only the right users have continued access.

“Azure Active Directory 报表和监视”文档:Azure Active Directory reports and monitoring documentation:

https://docs.azure.cn/active-directory/reports-monitoring/

什么是 Azure AD 访问评审?:What are Azure AD access reviews?:

https://docs.azure.cn/active-directory/governance/access-reviews-overview

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用帐户的行为3.11: Monitor attempts to access deactivated accounts

指导:为 Azure Key Vault 和 Azure Active Directory 启用诊断设置,将所有日志都发送到 Log Analytics 工作区。Guidance: Enable diagnostic settings for Azure Key Vault and Azure Active Directory, sending all logs to a Log Analytics workspace. 在 Log Analytics 中配置所需警报(例如尝试访问禁用的机密)。Configure desired alerts (such as attempts to access disabled secrets) within Log Analytics.

将 Azure AD 日志与 Azure Monitor 日志集成: https://docs.azure.cn/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analyticsIntegrate Azure AD logs with Azure Monitor logs: https://docs.azure.cn/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

从旧 Key Vault 解决方案迁移: https://docs.azure.cn/azure-monitor/insights/azure-key-vault#migrating-from-the-old-key-vault-solutionMigrating from the old Key Vault solution: https://docs.azure.cn/azure-monitor/insights/azure-key-vault#migrating-from-the-old-key-vault-solution

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:不适用;Azure Key Vault 不支持客户密码箱。Guidance: Not applicable; Customer Lockbox not supported for Azure Key Vault.

正式版中支持的服务和方案: https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availabilitySupported services and scenarios in general availability: https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availability

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:有些资源用于存储或处理已启用 Azure Key Vault 的资源上的敏感信息,可使用标记来跟踪这些资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information on Azure Key Vault enabled resources.

使用标记整理 Azure 资源: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsUse tags to organize your Azure resources: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:可使用虚拟网络服务终结点安全地访问 Azure Key Vault,其中这些终结点根据配置会限制对特定你子网的访问。Guidance: You can secure access to Azure Key Vault by making use of virtual network service endpoints configured to restrict access to specific subnets.

防火墙规则生效后,只有当你的请求来自允许的子网或 IP 地址范围时,你才能执行 Azure Key Vault 数据平面操作。After firewall rules are in effect, you can only perform Azure Key Vault data plane operations when your request originates from allowed subnets or IP address ranges. 在 Azure 门户中访问 Azure Key Vault 时,这同样适用。This also applies to Azure Key Vault access in the Azure portal. 虽然可从 Azure 门户浏览到 Key Vault,但如果你的客户端计算机不在允许列表中,那么你可能无法列出密钥、机密或证书。Although you can browse to a key vault from the Azure portal, you may not be able to list keys, secrets, or certificates if your client machine is not on the allowed list. 这也会影响其他 Azure Key Vault 选取器和其他 Azure 服务。This also affects the Azure Key Vault Picker and other Azure services. 如果防火墙规则阻止你的客户端计算机这样做,那么你可能能够查看 Key Vault 列表,但不能查看列表密钥。You may be able to see lists of Key Vaults, but not list keys, if firewall rules prevent your client machine from doing so.

配置 Azure Key Vault 防火墙和虚拟网络: https://docs.azure.cn/key-vault/key-vault-network-securityConfigure Azure Key Vault firewalls and virtual networks: https://docs.azure.cn/key-vault/key-vault-network-security

Azure Key Vault 的虚拟网络服务终结点: https://docs.azure.cn/key-vault/key-vault-overview-vnet-service-endpointsVirtual network service endpoints for Azure Key Vault: https://docs.azure.cn/key-vault/key-vault-overview-vnet-service-endpoints

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:Azure Key Vault 中存储的所有数据都被视为敏感数据。Guidance: All data stored within Azure Key Vault is considered sensitive. 使用 Azure Key Vault 数据平面访问控制来控制对 Azure Key Vault 机密的访问。Use Azure Key Vault data plane access controls to control access to Azure Key Vault secrets. 你还可使用 Key Vault 的内置防火墙,在网络层控制访问。You may also use Key Vault's built-in firewall to control access at the network layer. 若要监视对 Azure Key Vault 的访问,请启用 Key Vault 诊断设置,并将日志发送到 Azure 存储帐户或 Log Analytics 工作区。To monitor access to Azure Key Vault, enable Key Vault Diagnostic Settings and send logs to an Azure Storage Account or Log Analytics workspace.

保护对密钥保管库的访问: https://docs.azure.cn/key-vault/key-vault-secure-your-key-vaultSecure access to a key vault: https://docs.azure.cn/key-vault/key-vault-secure-your-key-vault

配置 Azure Key Vault 防火墙和虚拟网络: https://docs.azure.cn/key-vault/key-vault-network-securityConfigure Azure Key Vault firewalls and virtual networks: https://docs.azure.cn/key-vault/key-vault-network-security

Azure Key Vault 日志记录: https://docs.azure.cn/key-vault/key-vault-loggingAzure Key Vault logging: https://docs.azure.cn/key-vault/key-vault-logging

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:所有流向 Azure Key Vault 来进行身份验证、管理和数据平面访问的流量都会被加密并通过 HTTPS(端口 443)传递。Guidance: All traffic to Azure Key Vault for authentication, management, and data plane access, is encrypted and goes over HTTPS: port 443. (但是对于 CRL,偶尔会有 HTTP [端口 80] 流量。)Azure Key Vault 继续允许引入 TLS 1.1 和 TLS 1.0 数据。(However, there will occasionally be HTTP [port 80] traffic for CRL.) Azure Key Vault continues to allow TLS 1.1 and TLS 1.0 data to be ingested. 通过在客户端配置,可将数据限制为 TLS 1.2。Data may be restricted to TLS 1.2 through configuration on the client side.

访问防火墙后面的 Azure Key Vault: https://docs.azure.cn/key-vault/key-vault-access-behind-firewallAccess Azure Key Vault behind a firewall: https://docs.azure.cn/key-vault/key-vault-access-behind-firewall

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:不适用;Azure Key Vault (机密、密钥和证书)中的所有数据都被视为敏感数据。Guidance: Not applicable; all data within Azure Key Vault (secrets, keys, and certificates) is considered sensitive.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:保护对 Azure Key Vault 实例的管理和数据平面的访问。Guidance: Secure access to the management and data plane of your Azure Key Vault instances.

保护对密钥保管库的访问:Secure access to a key vault:

https://docs.azure.cn/key-vault/key-vault-secure-your-key-vault

Azure 安全中心监视:不适用Azure Security Center monitoring: Not Applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:Microsoft 管理 Azure Key Vault 的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Guidance: Microsoft manages the underlying infrastructure for Azure Key Vault and has implemented strict controls to prevent the loss or exposure of customer data.

什么是 Azure 密钥保管库?What is Azure Key Vault?

https://docs.azure.cn/key-vault/key-vault-overview

Azure 客户数据保护:Azure customer data protection:

https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:所有托管对象(密钥、证书和机密)都在 Azure Key Vault 中静态加密。Guidance: All managed objects (key, certificates, and secrets) are encrypted at rest in Azure Key Vault.

支持性文档:Supporting documentation:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:在 Azure Monitor 中使用 Azure Key Vault 分析解决方案来查看 Azure Key Vault 审核事件日志。Guidance: Use the Azure Key Vault Analytics solution in Azure Monitor to review Azure Key Vault audit event logs.

Azure Monitor 中的 Azure Key Vault 分析解决方案:Azure Key Vault Analytics solution in Azure Monitor:

https://docs.azure.cn/azure-monitor/insights/azure-key-vault

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:Microsoft 对支持 Azure Key Vault 的基础系统执行漏洞管理。Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:不适用;Microsoft 对支持 Key Vault 的基础系统执行补丁管理。Guidance: N/A; Microsoft performs patch management on the underlying systems that support Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:Microsoft 对支持 Key Vault 的基础系统执行漏洞管理。Guidance: Microsoft performs vulnerability management on the underlying systems that support Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:使用 Azure 安全中心提供的默认风险评级(安全功能分数)。Guidance: Use the default risk ratings (Secure Score) provided by Azure Security Center.

提高 Azure 安全中心内的安全功能分数:Improve your Secure Score in Azure Security Center:

https://docs.azure.cn/security-center/security-center-secure-score

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 可查询和发现订阅中的所有资源(包括 Azure Key Vault 实例)。Guidance: Use Azure Resource Graph to query and discover all resources (including Azure Key Vault instances) within your subscription. 确保你在租户中拥有适当(读取)权限,并且能够枚举所有 Azure 订阅以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

快速入门:使用 Azure Resource Graph 资源管理器运行你的第一个 Resource Graph 查询:Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer:

https://docs.azure.cn/governance/resource-graph/first-query-portal

获取当前帐户可访问的订阅:Get subscriptions that the current account can access.:

https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

什么是 Azure 基于角色的访问控制 (Azure RBAC)?What is Azure role-based access control (Azure RBAC)?

https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于 Azure Key Vault 资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure Key Vault resources giving metadata to logically organize them into a taxonomy.

如何创建和使用标记:How to create and use Tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独订阅(若适用)来整理和跟踪 Azure Key Vault 实例及相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Key Vault instances and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

创建另外的 Azure 订阅:Create an additional Azure subscription:

https://www.microsoft.com/china/azure/index.html?fromtype=cn

创建用来组织和管理资源的管理组:Create management groups for resource organization and management:

https://docs.azure.cn/governance/management-groups/create

使用标记整理 Azure 资源: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsUse tags to organize your Azure resources: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指导:定义已批准的 Azure 资源以及计算资源的已批准软件的列表Guidance: Define list of approved Azure resources and approved software for your compute resources

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:在 Azure Policy 中使用以下内置策略定义,对可在客户订阅中创建的资源类型施加限制:Guidance: Use Azure policies to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s).

教程:创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageTutorial: Create and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

快速入门:使用 Azure Resource Graph Explorer 运行第一个 Resource Graph 查询: https://docs.azure.cn/governance/resource-graph/first-query-portalQuickstart: Run your first Resource Graph query using Azure Resource Graph Explorer: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:不适用;此建议适用于 Azure 整体和计算资源。Guidance: Not applicable; this recommendation is intended for Azure as a whole as well as compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可在客户订阅中创建的资源类型施加限制:Guidance: Use Azure policies to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

教程:创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageTutorial: Create and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure Policy 示例: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesAzure Policy Samples: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户通过脚本与 Azure 资源管理器进行交互的功能6.11: Limit users' ability to interact with AzureResources Manager via scripts

指导:使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器 (ARM) 进行交互的能力。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager (ARM) by configuring "Block access" for the "Microsoft Azure Management" App. 这可防止在高度安全的环境(例如使用 Key Vault 配置的环境)中创建和更改资源。This can prevent the creation and changes to resources within a high security environment, such as those with Key Vault configuration.

使用条件访问管理对 Azure 管理的访问权限: Manage access to Azure management with Conditional Access:

https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用“Microsoft.KeyVault”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Key Vault 实例的配置。Guidance: Use Azure Policy aliases in the "Microsoft.KeyVault" namespace to create custom policies to audit or enforce the configuration of your Azure Key Vault instances. 你还可使用内置的用于 Azure Key Vault 的 Azure Policy 定义,例如:You may also use built-in Azure Policy definitions for Azure Key Vault such as:

应可恢复 Key Vault 对象Key Vault objects should be recoverable

将 Key Vault 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Key Vault to Log Analytics workspace

应启用 Key Vault 中的诊断日志Diagnostic logs in Key Vault should be enabled

Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint

将 Key Vault 的诊断设置部署到事件中心Deploy Diagnostic Settings for Key Vault to Event Hub

使用来自 Azure 安全中心的建议作为 Azure Key Vault 资源的安全配置基线。Use recommendations from Azure Security Center as a secure configuration baseline for your Azure Key Vault instances.

如何查看可用的 Azure Policy 别名:How to view available Azure Policy aliases:

https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

教程:创建和管理策略以强制实施合规性:Tutorial: Create and manage policies to enforce compliance:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对已启用 Azure Key Vault 的资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure Key Vault-enabled resources.

教程:创建和管理策略以强制实施合规性:Tutorial: Create and manage policies to enforce compliance:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

了解 Azure Policy 效果:Understand Azure Policy effects:

https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:使用“Microsoft.KeyVault”命名空间中的 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并设置相关警报。Guidance: Use Azure Policy aliases in the "Microsoft.KeyVault" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:使用 Azure 安全中心对 Azure Key Vault 保护的资源执行基线扫描Guidance: Use Azure Security Center to perform baseline scans for your Azure Key Vault-protected resources

如何在 Azure 安全中心修正建议:How to remediate recommendations in Azure Security Center:

https://docs.azure.cn/security-center/security-center-remediate-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指南:不适用;此基准适用于计算资源。Guidance: Not applicable; this benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护云应用程序的机密管理。Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications. 请确保已启用 Azure Key Vault 软删除。Ensure that Azure Key Vault soft-delete is enabled.

如何与 Azure 托管标识集成: How to integrate with Azure Managed Identities:

https://docs.azure.cn/azure-app-configuration/howto-integrate-azure-managed-service-identity

如何创建 Key Vault: How to create a Key Vault:

https://docs.azure.cn/key-vault/general/quick-create-portal

如何向 Key Vault 进行身份验证:How to authenticate to Key Vault:

https://docs.azure.cn/key-vault/general/authentication

如何分配 Key Vault 访问策略: How to assign a Key Vault access policy:

https://docs.azure.cn/key-vault/general/assign-access-policy-portal

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护云应用程序的机密管理。Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources. Microsoft 会处理基础平台的反恶意软件。Microsoft handles anti-malware for underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure Key Vault)的基础主机上启用,但它不会针对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Key Vault), however, it does not run on customer content.

请预先扫描要上传或发送到非计算 Azure 资源(如 Azure Key Vault)的任何内容。Pre-scan any content being uploaded or sent to non-compute Azure resources such as Azure Key Vault. Microsoft 无法访问这些实例中的数据。Microsoft cannot access your data in these instances.

了解适用于 Azure 云服务和虚拟机的 Microsoft Antimalware: https://docs.azure.cn/security/fundamentals/antimalwareUnderstand Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.azure.cn/security/fundamentals/antimalware

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources. Microsoft 会处理基础平台的反恶意软件。Microsoft handles anti-malware for underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:使用以下 PowerShell 命令确保定期自动备份 Key Vault 证书、密钥、托管存储帐户和机密:Guidance: Ensure regular automated backups of your Key Vault Certificates, Keys, Managed Storage Accounts, and Secrets, with the following PowerShell commands:

  • Backup-AzKeyVaultCertificateBackup-AzKeyVaultCertificate

  • Backup-AzKeyVaultKeyBackup-AzKeyVaultKey

  • Backup-AzKeyVaultManagedStorageAccountBackup-AzKeyVaultManagedStorageAccount

  • Backup-AzKeyVaultSecretBackup-AzKeyVaultSecret

或者,可将 Key Vault 备份存储在 Azure 备份中。Optionally, you may store your Key Vault backups within Azure Backup.

如何备份 Key Vault 证书: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultcertificateHow to backup Key Vault Certificates: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultcertificate

如何备份 Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkeyHow to backup Key Vault Keys: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey

如何备份 Key Vault 托管存储帐户: https://docs.microsoft.com/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccountHow to backup Key Vault Managed Storage Accounts: https://docs.microsoft.com/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccount

如何备份 Key Vault 机密: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultsecretHow to backup Key Vault Secrets: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultsecret

如何启用 Azure 备份: https://docs.azure.cn/backupHow to enable Azure Backup: https://docs.azure.cn/backup

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

指导:使用以下 PowerShell 命令备份 Key Vault 证书、密钥、托管存储帐户和机密:Guidance: Perform backups of your Key Vault Certificates, Keys, Managed Storage Accounts, and Secrets, with the following PowerShell commands:

  • Backup-AzKeyVaultCertificateBackup-AzKeyVaultCertificate

  • Backup-AzKeyVaultKeyBackup-AzKeyVaultKey

  • Backup-AzKeyVaultManagedStorageAccountBackup-AzKeyVaultManagedStorageAccount

  • Backup-AzKeyVaultSecretBackup-AzKeyVaultSecret

或者,可将 Key Vault 备份存储在 Azure 备份中。Optionally, you may store your Key Vault backups within Azure Backup.

如何备份 Key Vault 证书: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultcertificateHow to backup Key Vault Certificates: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultcertificate

如何备份 Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkeyHow to backup Key Vault Keys: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey

如何备份 Key Vault 托管存储帐户: https://docs.microsoft.com/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccountHow to backup Key Vault Managed Storage Accounts: https://docs.microsoft.com/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccount

如何备份 Key Vault 机密: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultsecretHow to backup Key Vault Secrets: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultsecret

如何启用 Azure 备份: https://docs.azure.cn/backupHow to enable Azure Backup: https://docs.azure.cn/backup

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:使用以下 PowerShell 命令定期执行 Key Vault 证书、密钥、托管存储帐户和机密的数据还原:Guidance: Periodically perform data restoration of your Key Vault Certificates, Keys, Managed Storage Accounts, and Secrets, with the following PowerShell commands:

  • Restore-AzKeyVaultCertificateRestore-AzKeyVaultCertificate

  • Restore-AzKeyVaultKeyRestore-AzKeyVaultKey

  • Restore-AzKeyVaultManagedStorageAccountRestore-AzKeyVaultManagedStorageAccount

  • Restore-AzKeyVaultSecretRestore-AzKeyVaultSecret

如何还原 Key Vault 证书: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultcertificate?view=azurermps-6.13.0How to restore Key Vault Certificates: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultcertificate?view=azurermps-6.13.0

如何还原 Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0How to restore Key Vault Keys: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0

如何还原 Key Vault 托管存储帐户: https://docs.microsoft.com/powershell/module/az.keyvault/backup-azkeyvaultmanagedstorageaccountHow to restore Key Vault Managed Storage Accounts: https://docs.microsoft.com/powershell/module/az.keyvault/backup-azkeyvaultmanagedstorageaccount

如何还原 Key Vault 机密: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultsecret?view=azurermps-6.13.0How to restore Key Vault Secrets: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultsecret?view=azurermps-6.13.0

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:请确保为 Azure Key Vault 启用软删除。Guidance: Ensure that soft-delete is enabled for Azure Key Vault. 软删除允许恢复已删除的密钥保管库和保管库对象,例如密钥、机密和证书。Soft-delete allows recovery of deleted key vaults and vault objects such as keys, secrets, and certificates.

如何使用 Azure Key Vault 软删除:How to use Azure Key Vault's Soft Delete:

https://docs.azure.cn/key-vault/key-vault-soft-delete-powershell

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review. 这些流程应着重于保护敏感系统,例如使用 Key Vault 机密的系统。These processes should have a focus on protecting sensitive systems, such as those using Key Vault secrets.

如何在 Azure 安全中心配置工作流自动化:How to configure Workflow Automations within Azure Security Center:

https://docs.azure.cn/security-center/security-center-planning-and-operations-guide

关于自行建立安全事件响应流程的指南:Guidance on building your own security incident response process:

https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

Microsoft 安全响应中心的事件剖析:Microsoft Security Response Center's Anatomy of an Incident:

https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process

客户还可利用 NIST 的“计算机安全事件处理指南”来制定自己的事件响应计划:Customer may also leverage NIST's Computer Security Incident Handling Guide to aid in the creation of their own incident response plan:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert. 此外,请用标记明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data such as Azure Key Vault secrets.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure Key Vault 实例及相关资源。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence to help protect your Azure Key Vault instances and related resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

请参阅 NIST 的刊物:Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities(IT 规划和功能的测试、培训与演练计划指南): Refer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

如何设置 Azure 安全中心安全联系人:How to set the Azure Security Center Security Contact:

https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议,以便确定已启用 Azure Key Vault 的资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure Key Vault-enabled resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

如何配置连续导出:How to configure continuous export:

https://docs.azure.cn/security-center/continuous-export

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,来保护已启用 Azure Key Vault 的资源。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure Key Vault-protected resources.

如何配置工作流自动化和逻辑应用:How to configure Workflow Automation and Logic Apps:

https://docs.azure.cn/security-center/workflow-automation

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:不要直接对 Azure Key Vault 服务执行渗透测试,而是建议测试使用 Key Vault 的 Azure 资源,以确保机密的安全性。Guidance: You are not to perform pen testing on the Azure Key Vault service directly, however it is encouraged to test your Azure resources which are using Key Vault to ensure the security of the secrets.

你将需要 Microsoft 互动规则,确保你的渗透测试不违反 Microsoft 政策:You will need to follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies:

https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

对于 Microsoft 红队演练策略和执行,以及针对 Microsoft 管理的云基础结构、服务和应用程序的实时站点渗透测试,可在此处找到详细信息:You can find more information on Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications, here:

https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps