Azure Key Vault 安全建议Security recommendations for Azure Key Vault

本文包含针对 Azure Key Vault 的安全建议。This article contains security recommendations for Azure Key Vault. 实施这些建议可帮助你履行我们的责任分担模型中所述的安全义务。Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model. 若要详细了解 Microsoft 采取哪些措施来履行服务提供商责任,请参阅云计算的分担责任For more information on what Microsoft does to fulfill service provider responsibilities, read Shared responsibilities for cloud computing.

Azure 安全中心可以自动监视本文所述的某些建议。Some of the recommendations included in this article can be automatically monitored by Azure Security Center. Azure 安全中心是保护 Azure 中的资源的第一道防线。Azure Security Center is the first line of defense in protecting your resources in Azure. 它会定期分析 Azure 资源的安全状态,以识别潜在的安全漏洞。It periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. 然后,它会建议如何解决这些漏洞。It then provides you with recommendations on how to address them.

数据保护Data protection

建议Recommendation 注释Comments 安全中心Security Center
启用软删除Enable soft-delete 启用软删除后,你可以恢复已删除的保管库和保管库对象Soft-delete allows you to recover deleted vaults and vault objects -
限制对保管库数据的访问Limit access to vault data 遵循最低权限原则,且仅授权组织的部分成员访问保管库数据Follow the principle of least privilege and limit which members of your organization have access to vault data -

标识和访问管理Identity and access management

建议Recommendation 注释Comments 安全中心Security Center
限制拥有参与者访问权限的用户数Limit the number of users with contributor access 如果某个用户对 Key Vault 管理平面拥有参与者权限,则该用户可以通过设置 Key Vault 访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对 Key Vault 拥有“参与者”角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 确保只有已获授权且有必要进行访问的人员可以访问和管理你的保管库。Ensure that only those with a need for access authorized persons can access and manage your vaults. 可以阅读保护对密钥保管库的访问You can read Secure access to a key vault -


建议Recommendation 注释Comments 安全中心Security Center
应在 Key Vault 中启用诊断日志Diagnostics logs in Key Vault should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. -
限制可以访问 Azure Key Vault 日志的用户Restrict who can access your Azure Key vault logs Key Vault 日志保存针对保管库执行的活动(例如创建或删除保管库、密钥、机密)的相关信息,这些信息可以在调查过程中使用。Key Vault logs save information about the activities performed on your vault such as creation or deletion of vaults, keys, secrets and may be used during an investigation -


建议Recommendation 注释Comments 安全中心Security Center
限制网络曝光Limit network exposure 网络访问应该仅限需要进行保管库访问的解决方案所使用的虚拟网络。Network access should be limited to the virtual networks used by solutions requiring vault access. 查看有关 Azure Key Vault 虚拟网络服务终结点的信息Review information on Virtual network service endpoints for Azure Key Vault -