适用于 Azure Database for MariaDB 的 Azure 安全基线Azure Security Baseline for Azure Database for MariaDB

适用于 Azure Database for MariaDB 的 Azure 安全基线包含的建议可帮助你改进部署的安全状况。The Azure Security Baseline for Azure Database for MariaDB contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:使用专用终结点为 Azure Database for MariaDB 配置专用链接。Guidance: Configure Private Link for Azure Database for MariaDB with Private Endpoints. 使用专用链接可以通过专用终结点连接到 Azure 中的各种 PaaS 服务。Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure 专用链接实质上是将 Azure 服务引入专用虚拟网络 (VNet) 中。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). 虚拟网络与 MariaDB 实例之间的流量将遍历 Microsoft 主干网络。Traffic between your virtual network and MariaDB instance travels the Microsoft backbone network.

或者,你可以使用虚拟网络服务终结点保护和限制对 Azure Database for MariaDB 实现的网络访问。Alternatively, you may use Virtual Network Service Endpoints to protect and limit network access to your Azure Database for MariaDB implementations. 虚拟网络规则是一种防火墙安全功能,用于控制 Azure Database for MariaDB 是否接受从虚拟网络中的特定子网发送的通信。Virtual network rules are one firewall security feature that controls whether your Azure Database for MariaDB accepts communications that are sent from particular subnets in virtual networks.

还可以使用防火墙规则保护 Azure Database for MariaDB 服务器。You may also secure your Azure Database for MariaDB with firewall rules. 在指定哪些计算机具有访问权限之前,服务器防火墙将禁止所有对数据库服务器的访问。The server firewall prevents all access to your database server until you specify which computers have permission. 要配置防火墙,请创建防火墙规则,以指定可接受的 IP 地址的范围。To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. 可以在服务器级别创建防火墙规则。You can create firewall rules at the server level.

如何为 Azure Database for MariaDB 配置专用链接: https://docs.azure.cn/mariadb/howto-configure-privatelink-portalHow to configure Private Link for Azure Database for MariaDB: https://docs.azure.cn/mariadb/howto-configure-privatelink-portal

如何在 Azure Database for MariaDB 服务器中创建和管理 VNet 服务终结点和 VNet 规则: https://docs.azure.cn/mariadb/howto-manage-vnet-portalHow to create and manage VNet service endpoints and VNet rules in Azure Database for MariaDB server: https://docs.azure.cn/mariadb/howto-manage-vnet-portal

如何配置 Azure Database for MariaDB 防火墙规则: https://docs.azure.cn/mariadb/concepts-firewall-rulesHow to configure Azure Database for MariaDB firewall rules: https://docs.azure.cn/mariadb/concepts-firewall-rules

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:将 Azure Database for MariaDB 服务器固定到专用终结点时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for MariaDB server is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 可以使用网络安全组 (NSG) 来降低数据外泄的风险。You can use a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

如何为 Azure Database for MariaDB 配置专用链接: https://docs.azure.cn/mariadb/howto-configure-privatelink-portalHow to configure Private Link for Azure Database for MariaDB: https://docs.azure.cn/mariadb/howto-configure-privatelink-portal

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal 如何启用和使用流量分析: https://docs.azure.cn/network-watcher/traffic-analyticsHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal How to Enable and use Traffic Analytics: https://docs.azure.cn/network-watcher/traffic-analytics

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:将 Azure Database for MariaDB 服务器固定到专用终结点时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for MariaDB server is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 随后可以配置网络安全组 (NSG) 来降低数据外泄的风险。You can then configure a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal 如何启用和使用流量分析: https://docs.azure.cn/network-watcher/traffic-analyticsHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal How to Enable and use Traffic Analytics: https://docs.azure.cn/network-watcher/traffic-analytics

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:对于需要访问 Azure Database for MariaDB 实例的资源,请使用虚拟网络服务标记来定义网络安全组或 Azure 防火墙上的网络访问控制。Guidance: For resources that need access to your Azure Database for MariaDB instances, use virtual network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应“源”或“目标”字段中指定服务标记名称,可允许或拒绝相应服务的流量。By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. 注意:Azure Database for MariaDB 使用“Microsoft.Sql”服务标记。Note: Azure Database for MariaDB uses the "Microsoft.Sql" service tag.

有关使用服务标记的详细信息: https://docs.azure.cn/virtual-network/service-tags-overview 了解 Azure Database for MariaDB 的服务标记使用: https://docs.azure.cn/mariadb/concepts-data-access-security-vnet#terminology-and-descriptionFor more information about using service tags: https://docs.azure.cn/virtual-network/service-tags-overview Understand service tag usage for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-data-access-security-vnet#terminology-and-description

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:通过 Azure Policy 为与 Azure Database for MariaDB 实例关联的网络设置和网络资源定义和实现标准安全配置。Guidance: Define and implement standard security configurations for network settings and network resources associated with your Azure Database for MariaDB instances with Azure Policy. 使用“Microsoft.DBforMariaDB”和“Microsoft.Network”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for MariaDB 实例的网络配置。Use Azure Policy aliases in the "Microsoft.DBforMariaDB" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Database for MariaDB instances. 还可以使用与网络或 Azure Database for MariaDB 实例相关的内置策略定义,例如:You may also make use of built-in policy definitions related to networking or your Azure Database for MariaDB instances, such as:

  • 应为 MariaDB 服务器启用专用终结点Private endpoint should be enabled for MariaDB servers

  • MariaDB 服务器应使用虚拟网络服务终结点MariaDB server should use a virtual network service endpoint

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

适用于网络的 Azure Policy 示例: https://docs.azure.cn/governance/policy/samples/Azure Policy samples for networking: https://docs.azure.cn/governance/policy/samples/

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 MariaDB 实例的网络安全和通信流相关的资源使用标记,以提供元数据和逻辑组织。Guidance: Use Tags for resources related to network security and traffic flow for your MariaDB instances to provide metadata and logical organization.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Database for MariaDB 实例相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Database for MariaDB instances. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place. 如何查看和检索 Azure 活动日志事件: https://docs.azure.cn/azure-monitor/platform/activity-log-view 如何在 Azure Monitor 中创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to view and retrieve Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/activity-log-view How to create alerts in Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Azure 维护用于 Azure 资源的时间源,如适用于日志中的时间戳的 Azure Database for MariaDB。Guidance: Azure maintains the time source used for Azure resources, such as Azure Database for MariaDB for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:启用诊断设置和服务器日志,并引入日志来聚合 Azure Database for MariaDB 实例生成的安全数据。Guidance: Enable Diagnostic Settings and Server Logs and ingest logs to aggregate security data generated by your Azure Database for MariaDB instances. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. 或者,可以启用数据并将其加入第三方 SIEM。Alternatively, you may enable and on-board data to a third-party SIEM. 如何配置和访问 Azure Database for MariaDB 的服务器日志: https://docs.azure.cn/mariadb/concepts-server-logsHow to configure and access Server Logs for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-server-logs

如何配置和访问 Azure Database for MariaDB 的审核日志: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portalHow to configure and access audit logs for Azure Database for MariaDB: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portal

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:在 Azure Database for MariaDB 实例上启用诊断设置,以便访问审核、安全和诊断日志。Guidance: Enable Diagnostic Settings on your Azure Database for MariaDB instances for access to audit, security, and diagnostic logs. 确保专门启用 MariaDB 审核日志。Ensure that you specifically enable the MariaDB Audit log. 自动可用的活动日志包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. 还可以启用 Azure 活动日志诊断设置,并将日志发送到相同的 Log Analytics 工作区或存储帐户。You may also enable Azure Activity Log Diagnostic Settings and send the logs to the same Log Analytics workspace or Storage Account.

如何配置和访问 Azure Database for MariaDB 的服务器日志: https://docs.azure.cn/mariadb/concepts-server-logs 如何配置和访问 Azure Database for MariaDB 的审核日志: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portal 如何配置 Azure 活动日志的诊断设置: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacyHow to configure and access Server Logs for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-server-logs How to configure and access audit logs for Azure Database for MariaDB: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portal How to configure Diagnostic Settings for the Azure Activity Log: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings-legacy

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,对于用于保存 Azure Database for MariaDB 日志的 Log Analytics 工作区,请根据组织的合规性法规设置保留期。Guidance: Within Azure Monitor, for the Log Analytics Workspace being used to hold your Azure Database for MariaDB logs, set the retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage. 如何为 Log Analytics 工作区设置日志保留参数: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period 在 Azure 存储帐户中存储资源日志: https://docs.azure.cn/azure-monitor/platform/resource-logs-collect-storageHow to set log retention parameters for Log Analytics Workspaces: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period Storing resource logs in an Azure Storage Account: https://docs.azure.cn/azure-monitor/platform/resource-logs-collect-storage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视 MariaDB 实例的日志中是否存在异常行为。Guidance: Analyze and monitor logs from your MariaDB instances for anomalous behavior. 使用 Azure Monitor 的 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data. 也可以启用第三方 SIEM 并将数据载入其中。Alternatively, you may enable and on-board data to a third party SIEM.

有关 Log Analytics 工作区的详细信息: https://docs.azure.cn/azure-monitor/log-query/get-started-portalFor more information about the Log Analytics Workspace: https://docs.azure.cn/azure-monitor/log-query/get-started-portal

如何在 Azure Monitor 中执行自定义查询: https://docs.azure.cn/azure-monitor/log-query/get-started-queriesHow to perform custom queries in Azure Monitor: https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;MariaDB 不会处理或生成与反恶意软件相关的日志。Guidance: N/A; MariaDB does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;MariaDB 不会处理或生成与 DNS 相关的日志。Guidance: N/A; MariaDB does not process or produce DNS related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:不适用;基准适用于计算资源。Guidance: N/A; benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:维护一个清单,其中包含对 MariaDB 实例的管理平面(Azure 门户/Azure 资源管理器)拥有管理访问权限的用户帐户。Guidance: Maintain an inventory of the user accounts that have administrative access to the management plane (Azure portal/Azure Resource Manager) of your MariaDB instances. 此外,还需维护对 MariaDB 实例的数据平面拥有访问权限的管理帐户的清单。In addition, maintain an inventory of the administrative accounts that have access to the data plane of your MariaDB instances. (创建 MariaDB 服务器时,需为管理员用户提供凭据。(When creating the MariaDB server, you provide credentials for an administrator user. 可以通过此管理员创建其他 MariaDB 用户。)This administrator can be used to create additional MariaDB users.)

了解 MariaDB 的访问管理: https://docs.azure.cn/mariadb/concepts-security#access-managementUnderstand access management for MariaDB: https://docs.azure.cn/mariadb/concepts-security#access-management

了解 Azure 订阅的 Azure 内置角色: https://docs.azure.cn/role-based-access-control/built-in-rolesUnderstand Azure built-in roles for Azure Subscriptions: https://docs.azure.cn/role-based-access-control/built-in-roles

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure Active Directory 没有默认密码的概念。Guidance: Azure Active Directory does not have the concept of default passwords.

创建 MariaDB 资源本身时,Azure 会强制创建具有强密码的管理用户。Upon creation of the MariaDB resource itself, Azure forces the creation of an administrative user with a strong password. 但是,创建 MariaDB 实例后,便可以使用所创建的第一个服务器管理员帐户来创建其他用户并向他们授予管理访问权限。However, once the MariaDB instance has been created, you may use the first server admin account you created account to create additional users and grant administrative access to them. 创建这些帐户时,请确保为每个帐户配置不同的强密码。When creating these accounts, ensure you configure a different, strong password for each account.

如何为 MariaDB 创建其他帐户: https://docs.azure.cn/mariadb/howto-create-usersHow to create additional accounts for MariaDB: https://docs.azure.cn/mariadb/howto-create-users

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:围绕可以访问 MariaDB 实例的专用管理帐户的使用,创建标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts that have access to your MariaDB instances. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and access management to monitor the number of administrative accounts.

了解 Azure 安全中心标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessUnderstand Azure Security Center Identity and Access: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure AD MFA,并遵循 Azure 安全中心标识和访问管理建议。Guidance: Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations.

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor identity and access within Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指南:将 PAW(特权访问工作站)与为登录和配置 Azure 资源而配置的 MFA 结合使用。Guidance: Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

了解特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsLearn about Privileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问,以限制对 Azure 资源(例如 MariaDB)的访问。Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions to limit access to Azure resources such as MariaDB.

如何在 Azure 中配置命名位置: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locationsHow to configure Named Locations in Azure: https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locations

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (AAD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD 通过对静态数据和传输中数据使用强加密来保护数据。AAD protects data by using strong encryption for data at rest and in transit. AAD 还会对用户凭据进行加盐、哈希处理和安全存储。AAD also salts, hashes, and securely stores user credentials.

Azure AD 身份验证不能用于直接访问 MariaDB 数据平面,但是,可以在管理平面级别(例如 Azure 门户)使用 Azure AD 凭据进行管理,以便控制 MariaDB 管理员帐户。Azure AD authentication cannot be used for direct access to the MariaDB data plane, however, Azure AD credentials may be used for administration at the management plane level (e.g. the Azure portal) to control MariaDB admin accounts.

如何更新 MariaDB 的管理员密码: https://docs.azure.cn/mariadb/howto-create-manage-server-portal#update-admin-passwordHow to update admin password for MariaDB: https://docs.azure.cn/mariadb/howto-create-manage-server-portal#update-admin-password

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:检查 Azure Active Directory 日志,以便发现可能具有 MariaDB 管理角色的陈旧帐户。Guidance: Review the Azure Active Directory logs to help discover stale accounts which can include those with MariaDB administrative roles. 此外,使用 Azure 标识访问评审可高效地管理组成员身份、对可用于访问 MariaDB 的企业应用程序的访问权限以及角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications that may be used to access MariaDB, and role assignments. 应定期(例如每 90 天一次)评审用户访问权限,以确保正确用户持续拥有访问权限。User access should be reviewed on a regular basis such as every 90 days to make sure only the right Users have continued access.

了解 Azure AD 报告: https://docs.azure.cn/active-directory/reports-monitoring/Understand Azure AD Reporting: https://docs.azure.cn/active-directory/reports-monitoring/

如何使用 Azure 标识访问评审: https://docs.azure.cn/active-directory/governance/access-reviews-overviewHow to use Azure Identity Access Reviews: https://docs.azure.cn/active-directory/governance/access-reviews-overview

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视访问已停用帐户的企图3.11: Monitor attempts to access deactivated accounts

指导:为 MariaDB 和 Azure Active Directory 启用诊断设置,将所有日志都发送到 Log Analytics 工作区。Guidance: Enable Diagnostic Settings for MariaDB and Azure Active Directory, sending all logs to a Log Analytics Workspace. 在 Log Analytics 工作区中配置所需警报(例如失败的身份验证尝试)。Configure desired Alerts (such as failed authentication attempts) within Log Analytics Workspace.

如何配置和访问 MariaDB 的服务器日志: https://docs.azure.cn/mariadb/concepts-server-logsHow to configure and access Server Logs for MariaDB: https://docs.azure.cn/mariadb/concepts-server-logs

如何配置和访问 MariaDB 的审核日志: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portalHow to configure and access audit logs for MariaDB: https://docs.azure.cn/mariadb/howto-configure-audit-logs-portal

如何将 Azure 活动日志集成到 Azure Monitor: https://docs.azure.cn/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analyticsHow to integrate Azure Activity Logs into Azure Monitor: https://docs.azure.cn/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记有助于跟踪那些存储或处理敏感信息的 Azure Database for MariaDB 实例或相关资源。Guidance: Use Tags to assist in tracking Azure Database for MariaDB instances or related resources that store or process sensitive information.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实现单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 结合使用专用链接、服务终结点和/或 MariaDB 防火墙规则,以隔离和限制对 MariaDB 实例的网络访问。Use a combination of Private Link, Service Endpoints, and/or MariaDB firewall rules to isolate and limit network access to your MariaDB instances.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

如何为 Azure Database for MariaDB 配置专用链接: https://docs.azure.cn/mariadb/concepts-data-access-security-private-linkHow to configure Private Link for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-data-access-security-private-link

如何为 Azure Database for MariaDB 配置服务终结点: https://docs.azure.cn/mariadb/howto-manage-vnet-portalHow to configure Service Endpoints for Azure Database for MariaDB: https://docs.azure.cn/mariadb/howto-manage-vnet-portal

如何为 Azure Database for MariaDB 配置防火墙规则: https://docs.azure.cn/mariadb/concepts-firewall-rulesHow to configure firewall rules for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-firewall-rules

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:使用 Azure VM 访问 MariaDB 实例时,请使用专用链接、MariaDB 网络配置、网络安全组和服务标记来降低数据外泄的可能性。Guidance: When using Azure VMs to access MariaDB instances, make use of Private Link, MariaDB network configurations, Network Security Groups, and Service Tags to mitigate the possibility of data exfiltration.

Azure 管理 MariaDB 的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for MariaDB and has implemented strict controls to prevent the loss or exposure of customer data.

如何减少 Azure Database for MariaDB 的数据外泄: https://docs.azure.cn/mariadb/concepts-data-access-security-private-linkHow to mitigate data exfiltration for Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-data-access-security-private-link

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:Azure Database for MariaDB 支持使用传输层安全性 (TLS)(以前称为安全套接字层 (SSL))将 Azure Database for MariaDB 服务器连接到客户端应用程序。Guidance: Azure Database for MariaDB supports connecting your Azure Database for MariaDB server to client applications using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 TLS 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing TLS connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application. 在 Azure 门户中,确保为你的所有 MariaDB 实例都启用“强制执行 SSL 连接”。In the Azure portal, ensure "Enforce SSL connection" is enabled for all of your MariaDB instances.

如何为 MariaDB 配置传输中加密: https://docs.azure.cn/mariadb/howto-configure-sslHow to configure encryption in transit for MariaDB: https://docs.azure.cn/mariadb/howto-configure-ssl

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不可用于 Azure Database for MariaDB。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Database for MariaDB. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Azure 管理的底层平台,Azure 会将所有客户内容视为敏感数据,竭尽全力防范客户数据丢失和泄露。For the underlying platform which is managed by Azure, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对 Azure Database for MariaDB 管理平面(Azure 门户/Azure 资源管理器)的访问。Guidance: Use Azure role-based access control (Azure RBAC) to control access to the Azure Database for the MariaDB management plane (Azure portal/Azure Resource Manager). 对于数据平面访问(在数据库本身内),使用 SQL 查询创建用户并配置用户权限。For data plane access (within the database itself), use SQL queries to create users and configure user permissions.

如何配置 Azure RBAC: https://docs.azure.cn/role-based-access-control/role-assignments-portalHow to configure Azure RBAC: https://docs.azure.cn/role-based-access-control/role-assignments-portal

如何使用 SQL 为 MariaDB 配置用户访问: https://docs.azure.cn/mariadb/howto-create-usersHow to configure user access with SQL for MariaDB: https://docs.azure.cn/mariadb/howto-create-users

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:不适用;此项指导适用于计算资源。Guidance: N/A; this guideline is intended for compute resources.

Azure 管理 MariaDB 的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for MariaDB and has implemented strict controls to prevent the loss or exposure of customer data.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:Azure Database for MariaDB 服务使用 FIPS 140-2 验证的加密模块对静态数据进行存储加密。Guidance: The Azure Database for MariaDB service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. 数据(包括备份)在磁盘上加密,运行查询时创建的临时文件除外。Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. 该服务使用包含在 Azure 存储加密中的 AES 256 位密码,并且密钥由系统进行管理。The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. 存储加密始终处于启用状态,无法禁用。Storage encryption is always on and can't be disabled.

了解适用于 MariaDB 的静态加密: https://docs.azure.cn/mariadb/concepts-securityUnderstand encryption at-rest for MariaDB: https://docs.azure.cn/mariadb/concepts-security

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在 Azure Database for MariaDB 的生产实例和其他关键或相关资源发生更改时会发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Azure Database for MariaDB and other critical or related resources.

如何针对 Azure 活动日志事件创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts for Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:当前不可用;Azure 安全中心尚不支持用于 Azure Database for MariaDB 服务器的漏洞评估。Guidance: Currently not available; Azure Security Center does not yet support vulnerability assessment for Azure Database for MariaDB server.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:Azure 对支持 Azure Database for MariaDB 服务器的基础系统执行漏洞管理。Guidance: Azure performs vulnerability management on the underlying systems that support Azure Database for MariaDB server.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 可查询和发现订阅中的所有资源(包括 Azure Database for MariaDB 服务器)。Guidance: Use Azure Resource Graph to query and discover all resources (including Azure Database for MariaDB server) within your subscription(s). 确保你在租户中拥有适当(读取)权限,并且能够枚举所有 Azure 订阅以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscriptionHow to view your Azure Subscriptions: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription

了解 Azure RBAC: https://docs.azure.cn/role-based-access-control/overviewUnderstand Azure RBAC: https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于 Azure Database for MariaDB 服务器和其他相关资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure Database for MariaDB server and other related resources giving metadata to logically organize them into a taxonomy.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独订阅(如果适用)来组织和跟踪 Azure Database for MariaDB 服务器和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Database for MariaDB server and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s).

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Policy 拒绝特定的资源类型: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesHow to deny a specific resource type with Azure Policy: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:6.11:
限制用户通过脚本来与 Azure 资源管理器交互的功能Limit users' ability to interact with Azure Resources Manager via scripts

指导:使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器进行交互的能力。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. 这可以防止在安全性高的环境(例如包含敏感信息的 Azure Database for MariaDB 服务器)中创建和更改资源。This can prevent the creation and changes to resources within a high security environment, such Azure Database for MariaDB server containing sensitive information.

如何配置条件访问以阻止访问 Azure 资源管理器: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementHow to configure Conditional Access to block access to Azure Resource Manager: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:通过 Azure Policy 为 Azure Database for MariaDB 实例定义和实现标准安全配置。Guidance: Define and implement standard security configurations for your Azure Database for MariaDB instances with Azure Policy. 使用“Microsoft.DBforMariaDB”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for MariaDB 服务器的网络配置。Use Azure Policy aliases in the "Microsoft.DBforMariaDB" namespace to create custom policies to audit or enforce the network configuration of your Azure Database for MariaDB servers. 还可以使用与 Azure Database for MariaDB 服务器相关的内置策略定义,例如:You may also make use of built-in policy definitions related to your Azure Database for MariaDB servers, such as:

  • 应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB

如何查看可用的 Azure Policy 别名: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyaliasHow to view available Azure Policy aliases: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy [拒绝] 和 [不存在时部署] 在 Azure 资源中强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

了解 Azure Policy 效果: https://docs.azure.cn/governance/policy/concepts/effectsUnderstand Azure Policy Effects: https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果对 Azure Database for MariaDB 服务器和相关资源使用自定义 Azure Policy 定义,请使用 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions for your Azure Database for MariaDB servers and related resources, use Azure Repos to securely store and manage your code.

如何在 Azure DevOps 中存储代码How to store code in Azure DevOps

Azure Repos 文档Azure Repos Documentation

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:使用“Microsoft.DBforMariaDB”命名空间中的 Azure Policy 别名创建自定义策略,以对系统配置进行警报、审核和强制执行操作。Guidance: Use Azure Policy aliases in the "Microsoft.DBforMariaDB" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:使用“Microsoft.DBforMariaDB”命名空间中的 Azure Policy 别名创建自定义策略,以对系统配置进行警报、审核和强制执行操作。Guidance: Use Azure Policy aliases in the "Microsoft.DBforMariaDB" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy [审核]、[拒绝] 和 [不存在时部署] 自动为 Azure Database for MariaDB 实例和相关资源强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Database for MariaDB instances and related resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描器: https://secdevtools.azurewebsites.net/helpcredscan.htmlHow to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure 应用服务)的基础主机上启用,但不会对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:Microsoft Antimalware 会在支持 Azure 服务(例如,Azure Database for MariaDB 服务器)的基础主机上启用,但它不会对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Database for MariaDB server), however it does not run on customer content.

预扫描要上传到非计算 Azure 资源的任何内容,例如应用服务、Data Lake Storage、Blob 存储、Azure Database for MariaDB 服务器,等等。Azure 无法访问你在这些实例中的数据。Pre-scan any content being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, Azure Database for MariaDB server, etc. Azure cannot access your data in these instances.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft Antimalware 会在支持 Azure 服务(例如,Azure Database for MariaDB 服务器)的基础主机上启用,但它不会对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Database for MariaDB server), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:Azure Database for MariaDB 可以进行完整备份、差异备份和事务日志备份。Guidance: Azure Database for MariaDB takes full, differential, and transaction log backups. Azure Database for MariaDB 可自动创建服务器备份并将其存储在用户配置的本地冗余或异地冗余存储中。Azure Database for MariaDB automatically creates server backups and stores them in user configured locally redundant or geo-redundant storage. 备份可以用来将服务器还原到某个时间点。Backups can be used to restore your server to a point-in-time. 备份和还原是任何业务连续性策略的基本组成部分,因为它们可以保护数据免遭意外损坏或删除。Backup and restore are an essential part of any business continuity strategy because they protect your data from accidental corruption or deletion. 默认的备份保留期为七天。The default backup retention period is seven days. 可以选择将其配置为长达 35 天。You can optionally configure it up to 35 days. 所有备份都使用 AES 256 位加密进行加密。All backups are encrypted using AES 256-bit encryption.

了解 MariaDB 的备份: https://docs.azure.cn/mariadb/concepts-backupUnderstand backups for MariaDB: https://docs.azure.cn/mariadb/concepts-backup

了解 MariaDB 初始配置: https://docs.azure.cn/mariadb/tutorial-design-database-using-portalUnderstand MariaDB initial configuration: https://docs.azure.cn/mariadb/tutorial-design-database-using-portal

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

9.2:执行完整的系统备份并备份所有客户管理的密钥9.2: Perform complete system backups and backup any customer managed keys

指导:Azure Database for MariaDB 可自动创建服务器备份并将其存储在用户配置的本地冗余或异地冗余存储中。Guidance: Azure Database for MariaDB automatically creates server backups and stores them in user configured locally redundant or geo-redundant storage. 备份可以用来将服务器还原到某个时间点。Backups can be used to restore your server to a point-in-time. 备份和还原是任何业务连续性策略的基本组成部分,因为它们可以保护数据免遭意外损坏或删除。Backup and restore are an essential part of any business continuity strategy because they protect your data from accidental corruption or deletion.

如果使用 Key Vault 对 MariaDB 服务器中存储的数据进行客户端数据加密,请确保定期自动备份你的密钥。If using Key Vault for client-side data encryption for data stored in your MariaDB server, ensure regular automated backups of your keys.

了解 MariaDB 的备份: https://docs.azure.cn/mariadb/concepts-backupUnderstand backups for MariaDB: https://docs.azure.cn/mariadb/concepts-backup

如何备份 Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkeyHow to backup Key Vault Keys: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:在 Azure Database for MariaDB 中,从原始服务器的备份执行还原以定期测试备份。Guidance: In Azure Database for MariaDB, perform a restore from the original server's backups for periodic testing of backups. 可以使用两种类型的还原:时间点还原和异地还原。There are two types of restore available: Point-in-time restore and Geo-restore. 时间点还原可以与任一备份冗余选项配合使用,所创建的新服务器与原始服务器位于同一区域。Point-in-time restore is available with either backup redundancy option and creates a new server in the same region as your original server. 异地还原只能在已将服务器配置为进行异地冗余存储的情况下使用,用于将服务器还原到另一区域。Geo-restore is available only if you configured your server for geo-redundant storage and it allows you to restore your server to a different region.

估计的恢复时间取决于若干因素,包括数据库大小、事务日志大小、网络带宽,以及在同一区域同时进行恢复的数据库总数。The estimated time of recovery depends on several factors including the database sizes, the transaction log size, the network bandwidth, and the total number of databases recovering in the same region at the same time. 恢复时间通常少于 12 小时。The recovery time is usually less than 12 hours.

了解 Azure Database for MariaDB 中的备份和还原: https://docs.azure.cn/mariadb/concepts-backup#restoreUnderstand backup and restore in Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-backup#restore

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:Azure Database for MariaDB 可以进行完整备份、差异备份和事务日志备份。Guidance: Azure Database for MariaDB takes full, differential, and transaction log backups. 可以通过这些备份将服务器还原到所配置的备份保留期中的任意时间点。These backups allow you to restore a server to any point-in-time within your configured backup retention period. 默认的备份保留期为七天。The default backup retention period is seven days. 可以选择将其配置为长达 35 天。You can optionally configure it up to 35 days. 所有备份都使用 AES 256 位加密进行加密。All backups are encrypted using AES 256-bit encryption.

了解 Azure Database for MariaDB 中的备份和还原: https://docs.azure.cn/mariadb/concepts-backupUnderstand backup and restore in Azure Database for MariaDB: https://docs.azure.cn/mariadb/concepts-backup

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了你的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指南:使用连续导出功能导出 Azure 安全中心警报和建议,以帮助确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.

如何配置工作流自动化和逻辑应用: https://docs.azure.cn/security-center/workflow-automationHow to configure Workflow Automation and Logic Apps: https://docs.azure.cn/security-center/workflow-automation

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Azure 策略:Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies:

https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

对于 Microsoft 红队演练策略和执行,以及针对 Microsoft 管理的云基础结构、服务和应用程序的实时站点渗透测试,可在此处找到详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps