密钥保管库的 Azure Policy 内置策略定义Azure Policy built-in policy definitions for Key Vault

此页是密钥保管库的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Key Vault. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“GitHub”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the GitHub column to view the source on the Azure Policy GitHub repo.

密钥保管库(服务)Key Vault (service)

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
将 Key Vault 的诊断设置部署到事件中心Deploy Diagnostic Settings for Key Vault to Event Hub 创建或更新缺少此诊断设置的任何 Key Vault 时,部署 Key Vault 的诊断设置,以便流式传输到区域事件中心。Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. deployIfNotExistsdeployIfNotExists 2.0.02.0.0 链接Link
将 Key Vault 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Key Vault to Log Analytics workspace 在创建或更新缺少 Key Vault 的诊断设置的 Key Vault 时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0 链接Link
密钥保管库对象应可恢复Key Vault objects should be recoverable 此策略审核密钥保管库对象是否不可恢复。This policy audits if key vault objects are not recoverable. 软删除功能有助于在给定的保留期(90 天)内有效地保留资源,即使在 DELETE 操作之后也是如此,同时提供对象已被删除的外观。Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. 启用“清除保护”后,在长达 90 天的保留期到期之前,不能清除处于已删除状态的保管库或对象。When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. 这些保管库和对象仍然可以恢复,从而向客户保证将遵循保留策略。These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link

后续步骤Next steps