Azure 密钥保管库的安全控制Security controls for Azure Key Vault

本文介绍 Azure 密钥保管库中内置的安全控制。This article documents the security controls built into Azure Key Vault.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support Yes 使用虚拟网络 (VNet) 服务终结点。Using Virtual Network (VNet) service endpoints.
VNet 注入支持VNet injection support No
网络隔离和防火墙支持Network isolation and firewalling support Yes 使用 VNet 防火墙规则。Using VNet firewall rules.
强制隧道支持Forced tunneling support No

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 使用 Log Analytics。Using Log Analytics.
控制/管理平面日志记录和审核Control/Management plane Logging and Audit Yes 使用 Log Analytics。Using Log Analytics.
数据平面日志记录和审核Data plane logging and audit Yes 使用 Log Analytics。Using Log Analytics.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes
身份验证Authentication Yes 身份验证通过 Azure Active Directory 来进行。Authentication is through Azure Active Directory.
授权Authorization Yes 使用密钥保管库访问策略。Using Key Vault Access Policy.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes
服务器端静态加密:Microsoft 管理的密钥Server-side encryption at rest: Microsoft-managed keys Yes 加密所有对象。All objects are encrypted.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 空值N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes 所有通信都通过加密的 API 调用进行All communication is via encrypted API calls
加密的 API 调用API calls encrypted Yes 使用 HTTPS。Using HTTPS.

访问控制Access controls

安全控制Security control Yes/NoYes/No 注释Notes
控制/管理平面访问控制Control/Management plane access controls Yes Azure Resource Manager 基于角色的访问控制 (RBAC)Azure Resource Manager Role-Based Access Control (RBAC)
数据平面访问控制(在每个服务级别)Data plane access controls (At every service level) Yes 密钥保管库访问策略Key Vault Access Policy