适用于 Azure Database for PostgreSQL 单一服务器的 Azure 安全基线Azure security baseline for Azure Database for PostgreSQL - Single Server

适用于 Azure Database for PostgreSQL 单一服务器的 Azure 安全基线包含有助于改进部署安全状况的建议。The Azure Security Baseline for Azure Database for PostgreSQL - Single Server contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指南:使用专用终结点为 Azure Database for PostgreSQL 配置专用链接。Guidance: Configure Private Link for Azure Database for PostgreSQL with Private Endpoints. 使用专用链接可以通过专用终结点连接到 Azure 中的各种 PaaS 服务。Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure 专用链接实质上是将 Azure 服务引入专用虚拟网络 (VNet) 中。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). 虚拟网络与 PostgreSQL 实例之间的流量将遍历 Microsoft 主干网络。Traffic between your virtual network and PostgreSQL instance travels the Microsoft backbone network.

或者,你可以使用虚拟网络服务终结点保护和限制对 Azure Database for PostgreSQL 实现的网络访问。Alternatively, you may use Virtual Network Service Endpoints to protect and limit network access to your Azure Database for PostgreSQL implementations. 虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure Database for PostgreSQL 服务器接受从虚拟网络中的特定子网发送的通信。Virtual network rules are one firewall security feature that controls whether your Azure Database for PostgreSQL server accepts communications that are sent from particular subnets in virtual networks.

还可以使用防火墙规则保护 Azure Database for PostgreSQL 服务器。You may also secure your Azure Database for PostgreSQL server with firewall rules. 在指定哪些计算机具有权限之前,服务器防火墙将禁止所有对数据库服务器的访问。The server firewall prevents all access to your database server until you specify which computers have permission. 要配置防火墙,请创建防火墙规则,以指定可接受的 IP 地址的范围。To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. 可以在服务器级别创建防火墙规则。You can create firewall rules at the server level.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视并记录虚拟网络、子网和网络接口的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

指南:Azure Database for PostgreSQL 实例在专用终结点中受到保护时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for PostgreSQL instance is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 可以使用网络安全组 (NSG) 来降低数据外泄的风险。You can use a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.5:记录网络数据包1.5: Record network packets

指南:Azure Database for PostgreSQL 实例在专用终结点中受到保护时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for PostgreSQL instance is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 随后可以配置网络安全组 (NSG) 来降低数据外泄的风险。You can then configure a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指南:对于需要访问 Azure Database for PostgreSQL 实例的资源,请使用虚拟网络服务标记来定义网络安全组或 Azure 防火墙上的网络访问控制。Guidance: For resources that need access to your Azure Database for PostgreSQL instances, use virtual network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应“源”或“目标”字段中指定服务标记名称,可允许或拒绝相应服务的流量。By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

注意:Azure Database for PostgreSQL 使用“Microsoft.Sql”服务标记。Note: Azure Database for PostgreSQL uses the "Microsoft.Sql" service tag.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指南:通过 Azure Policy 为与 Azure Database for PostgreSQL 实例关联的网络设置和网络资源定义和实现标准安全配置。Guidance: Define and implement standard security configurations for network settings and network resources associated with your Azure Database for PostgreSQL instances with Azure Policy. 使用“Microsoft.DBforPostgreSQL”和“Microsoft.Network”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for PostgreSQL 实例的网络配置。Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Database for PostgreSQL instances. 还可以使用与网络或 Azure Database for PostgreSQL 实例相关的内置策略定义,例如:You may also make use of built-in policy definitions related to networking or your Azure Database for PostgreSQL instances, such as:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:记录流量配置规则1.10: Document traffic configuration rules

指南:对与 Azure Database for PostgreSQL 实例的网络安全和流量流相关的资源使用标记,以提供元数据和逻辑组织。Guidance: Use tags for resources related to network security and traffic flow for your Azure Database for PostgreSQL instances to provide metadata and logical organization.

使用与标记相关的任何内置 Azure Policy 定义(如“需要标记及其值”),确保使用标记创建所有资源并向你告知现有的未标记资源。Use any of the built-in Azure Policy definitions related to tagging, such as, "Require tag and its value," to ensure that all resources are created with tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 基于其标记对资源进行查找或执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their tags.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具监视网络资源配置并检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指南:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Database for PostgreSQL 实例相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Database for PostgreSQL instances. 在 Azure Monitor 中创建警报,使其在关键网络资源发生更改时触发。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Azure 会维护用于 Azure 资源的时间源,例如适用于日志中的时间戳的 Azure Database for PostgreSQL。Guidance: Azure maintains the time source used for Azure resources, such as Azure Database for PostgreSQL for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

2.2:配置中心安全日志管理2.2: Configure central security log management

指南:启用诊断设置和服务器日志,并引入日志来聚合 Azure Database for PostgreSQL 实例生成的安全数据。Guidance: Enable Diagnostic Settings and Server Logs and ingest logs to aggregate security data generated by your Azure Database for PostgreSQL instances. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. 或者,可以启用数据并将其加入第三方 SIEM。Alternatively, you may enable and on-board data to a third-party SIEM.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指南:在 Azure Database for PostgreSQL 实例上启用诊断设置,以便访问审核、安全和资源日志。Guidance: Enable Diagnostic Settings on your Azure Database for PostgreSQL instances for access to audit, security, and resource logs. 请确保专门启用了 PostgreSQL 审核日志。Ensure that you specifically enable the PostgreSQL Audit log. 自动可用的活动日志包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. 还可以启用 Azure 活动日志诊断设置,并将日志发送到相同的 Log Analytics 工作区或存储帐户。You may also enable Azure Activity Log Diagnostic Settings and send the logs to the same Log Analytics workspace or Storage Account.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,对于用于保存 Azure Database for PostgreSQL 日志的 Log Analytics 工作区,根据组织的合规性法规设置保留期。Guidance: Within Azure Monitor, for the Log Analytics Workspace being used to hold your Azure Database for PostgreSQL logs, set the retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和查看日志2.6: Monitor and review logs

指南:分析和监视 Azure Database for PostgreSQL 实例的日志中是否存在异常行为。Guidance: Analyze and monitor logs from your Azure Database for PostgreSQL instances for anomalous behavior. 使用 Azure Monitor 的 Log Analytics 查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics to review logs and perform queries on log data. 也可以启用第三方 SIEM 并将数据载入其中。Alternatively, you may enable and on-board data to a third party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.8:集中进行反恶意软件日志记录2.8: Centralize anti-malware logging

指南:不适用;Azure Database for PostgreSQL 不会处理或生成与反恶意软件相关的日志。Guidance: Not applicable; Azure Database for PostgreSQL does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指南:不适用;Azure Database for PostgreSQL 不会处理或生成与 DNS 相关的日志。Guidance: Not applicable; Azure Database for PostgreSQL does not process or produce DNS related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南:维护对 Azure Database for PostgreSQL 实例的控制平面(例如 Azure 门户)拥有管理访问权限的用户帐户清单。Guidance: Maintain an inventory of the user accounts that have administrative access to the control plane (e.g. Azure portal) of your Azure Database for PostgreSQL instances. 此外,还需维护对 Azure Database for PostgreSQL 实例的数据平面(在数据库本身之内)拥有访问权限的管理帐户清单。In addition, maintain an inventory of the administrative accounts that have access to the data plane (within the database itself) of your Azure Database for PostgreSQL instances. (创建 PostgreSQL 服务器时,需为管理员用户提供凭据。(When creating the PostgreSQL server, you provide credentials for an administrator user. 此管理员可用于创建其他 PostgreSQL 用户。)This administrator can be used to create additional PostgreSQL users.)

Azure Database for PostgreSQL 不支持内置基于角色的访问控制,但可以基于特定的资源提供程序操作来创建自定义角色。Azure Database for PostgreSQL does not support built-in role-based access control, but you can create custom roles based on specific resource provider operations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:更改默认密码(如果适用)3.2: Change default passwords where applicable

指南:Azure Active Directory 和 Azure Database for PostgreSQL 没有默认密码的概念。Guidance: Azure Active Directory and Azure Database for PostgreSQL do not have the concept of default passwords.

创建 Azure Database for PostgreSQL 资源本身时,Azure 会强制创建具有强密码的管理用户。Upon creation of the Azure Database for PostgreSQL resource itself, Azure forces the creation of an administrative user with a strong password. 但是,创建了 PostgreSQL 实例后,便可以使用所创建的第一个服务器管理员帐户创建其他用户并向他们授予管理访问权限。However, once the PostgreSQL instance has been created, you may use the first server admin account you created account to create additional users and grant administrative access to them. 创建这些帐户时,请确保为每个帐户配置不同的强密码。When creating these accounts, ensure you configure a different, strong password for each account.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:根据可访问 Azure Database for PostgreSQL 实例的专用管理帐户的用法,创建标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts that have access to your Azure Database for PostgreSQL instances. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and access management to monitor the number of administrative accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指南:启用 Azure Active Directory 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理建议。Guidance: Enable Azure Active Directory Multi-Factor Authentication (MFA) and follow Azure Security Center Identity and Access Management recommendations. 使用 Azure AD 令牌登录数据库时,这使你可以要求对数据库登录进行多重身份验证。When utilizing Azure AD tokens for signing into your database, this allows you to require multi-factor authentication for database sign-ins.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行门户和 Azure 资源管理器访问。Guidance: Use Conditional Access Named Locations to allow portal and Azure Resource Manager access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指南:使用 Azure Active Directory (AD) 作为中央身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system. Azure AD 通过对静态数据和传输中的数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会进行加盐操作、哈希操作并安全地存储用户凭据。Azure AD also salts, hashes, and securely stores user credentials.

要登录 Azure Database for PostgreSQL,建议使用 Azure AD 和 Azure AD 令牌进行连接。For signing into Azure Database for PostgreSQL, it is recommended to use Azure AD and use an Azure AD token to connect. 使用 Azure AD 令牌时,支持不同的方法,如 Azure AD 用户、Azure AD 组或连接到数据库的 Azure AD 应用程序。When using an Azure AD token, different methods are supported, such as an Azure AD user, an Azure AD group, or an Azure AD application connecting to the database.

Azure AD 凭据还可以用于在管理平面级别(例如,Azure 门户)进行管理,以控制 PostgreSQL 管理员帐户。Azure AD credentials may also be used for administration at the management plane level (e.g. the Azure portal) to control PostgreSQL admin accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.10:定期评审和协调用户访问权限3.10: Regularly review and reconcile user access

指南:查看 Azure Active Directory 日志,以帮助发现可能包含具有 Azure Database for PostgreSQL 管理角色的陈旧帐户。Guidance: Review the Azure Active Directory logs to help discover stale accounts which can include those with Azure Database for PostgreSQL administrative roles. 此外,使用 Azure 标识访问评审可高效管理组成员身份、对可用于访问 Azure Database for PostgreSQL 的企业应用程序的访问权限以及角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications that may be used to access Azure Database for PostgreSQL, and role assignments. 应定期(例如每 90 天一次)评审用户访问权限,以确保正确用户持续拥有访问权限。User access should be reviewed on a regular basis such as every 90 days to make sure only the right Users have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指南:为 Azure Database for PostgreSQL 和 Azure Active Directory 启用诊断设置,将所有日志都发送到 Log Analytics 工作区。Guidance: Enable Diagnostic Settings for Azure Database for PostgreSQL and Azure Active Directory, sending all logs to a Log Analytics workspace. 在 Log Analytics 中配置所需警报(例如失败的身份验证尝试)。Configure desired alerts (such as failed authentication attempts) within Log Analytics.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指南:使用标记可帮助跟踪存储或处理敏感信息的 Azure Database for PostgreSQL 实例或相关资源。Guidance: Use tags to assist in tracking Azure Database for PostgreSQL instances or related resources that store or process sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指南:为开发、测试和生产实现单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 结合使用专用链接、服务终结点和/或防火墙规则,以隔离和限制对 Azure Database for PostgreSQL 实例的网络访问。Use a combination of Private Link, Service Endpoints, and/or firewall rules to isolate and limit network access to your Azure Database for PostgreSQL instances.

Azure 安全中心监视:不可用Azure Security Center monitoring: Not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指南:使用 Azure 虚拟机访问 Azure Database for PostgreSQL 实例时,请使用专用链接、PostgreSQL 网络配置、网络安全组和服务标记来降低数据外泄的可能性。Guidance: When using Azure Virtual machines to access Azure Database for PostgreSQL instances, make use of Private Link, PostgreSQL network configurations, network security groups, and service tags to mitigate the possibility of data exfiltration.

Azure 管理 Azure Database for PostgreSQL 的底层基础结构,并实施了严格的控制来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for Azure Database for PostgreSQL and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指南:Azure Database for PostgreSQL 支持使用传输层安全性 (TLS)(以前称为安全套接字层 (SSL))将 PostgreSQL 服务器连接到客户端应用程序。Guidance: Azure Database for PostgreSQL supports connecting your PostgreSQL server to client applications using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 TLS 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing TLS connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application. 在 Azure 门户中,确保默认情况下为所有 Azure Database for PostgreSQL 实例都启用了“强制执行 SSL 连接”。In the Azure portal, ensure "Enforce SSL connection" is enabled for all of your Azure Database for PostgreSQL instances by default.

Azure Database for PostgreSQL 当前支持的 TLS 版本为 TLS 1.0、TLS 1.1、TLS 1.2。Currently the TLS version supported for Azure Database for PostgreSQL are TLS 1.0, TLS 1.1, TLS 1.2.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对 Azure Database for PostgreSQL 控制平面(如 Azure 门户)的访问。Guidance: Use Azure role-based access control (Azure RBAC) to control access to the Azure Database for PostgreSQL control plane (e.g. Azure portal). 对于数据平面访问(在数据库本身内),使用 SQL 查询创建用户并配置用户权限。For data plane access (within the database itself), use SQL queries to create users and configure user permissions. Azure RBAC 不影响数据库中的用户权限。Azure RBAC does not affect user permissions within the database.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 会管理 Azure Database for PostgreSQL 的底层基础结构,并实施了严格控制来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Database for PostgreSQL and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指南:结合使用 Azure Monitor 与 Azure 活动,以创建在 Azure Database for PostgreSQL 的生产实例和其他关键或相关资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Azure Database for PostgreSQL and other critical or related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅 Azure 安全基线: 漏洞管理For more information, see the Azure Security Benchmark: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:请遵循 Azure 安全中心关于保护 Azure Database for PostgreSQL 和相关资源的建议。Guidance: Follow recommendations from Azure Security Center on securing your Azure Database for PostgreSQL and related resources.

Azure 对支持 Azure Database for PostgreSQL 的基础系统执行漏洞管理。Azure performs vulnerability management on the underlying systems that support Azure Database for PostgreSQL.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:Azure 对支持 Azure Database for PostgreSQL 的基础系统执行漏洞管理。Guidance: Azure performs vulnerability management on the underlying systems that support Azure Database for PostgreSQL.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询和发现订阅中的所有资源(包括 Azure Database for PostgreSQL 实例)。Guidance: Use Azure Resource Graph to query and discover all resources (including Azure Database for PostgreSQL instances) within your subscriptions. 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指南:将标记应用于 Azure Database for PostgreSQL 实例和其他相关资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure Database for PostgreSQL instances and other related resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:使用标记、管理组和单独的订阅(如果适用)来组织和跟踪 Azure Database for PostgreSQL 实例和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Database for PostgreSQL instances and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s).

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指南:使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器进行交互的能力。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. 这可以防止在高安全环境中创建和更改资源,如包含敏感信息的 Azure Database for PostgreSQL 实例。This can prevent the creation and changes to resources within a high security environment, such as instances of Azure Database for PostgreSQL containing sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指南:通过 Azure Policy 为 Azure Database for PostgreSQL 实例定义和实现标准安全配置。Guidance: Define and implement standard security configurations for your Azure Database for PostgreSQL instances with Azure Policy. 使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for PostgreSQL 实例的网络配置。Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to audit or enforce the network configuration of your Azure Database for PostgreSQL instances. 还可以使用与 Azure Database for PostgreSQL 实例相关的内置策略定义,例如:You may also make use of built-in policy definitions related to your Azure Database for PostgreSQL instances, such as:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指南:如果对 Azure Database for PostgreSQL 实例和相关资源使用自定义 Azure Policy 定义,请使用 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions for your Azure Database for PostgreSQL instances and related resources, use Azure Repos to securely store and manage your code.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指南:使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核和强制执行系统配置,并针对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指南:使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核和强制执行系统配置,并针对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy [审核]、[拒绝] 和 [不存在时部署] 为 Azure Database for PostgreSQL 实例和相关资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Database for PostgreSQL instances and related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指南:Azure Database for PostgreSQL 服务器支持通过 Azure Active Directory 身份验证访问数据库。Guidance: Azure Database for PostgreSQL server supports Azure Active Directory authentication to access databases. 创建 Azure Database for PostgreSQL 服务器时,需要为管理员用户提供凭据。While creating the Azure Database for PostgreSQL server, you provide credentials for an administrator user. 此管理员可用于创建其他数据库用户。This administrator can be used to create additional database users.

对于在 Azure 应用服务上运行的用于访问 Azure Database for PostgreSQL 服务器的 Azure 虚拟机或 Web 应用程序,请结合使用托管服务标识与 Azure Key Vault ,以存储和检索 Azure Database for PostgreSQL 服务器的凭据。For Azure Virtual Machines or web applications running on Azure App Service being used to access your Azure Database for PostgreSQL server, use Managed Service Identity in conjunction with Azure Key Vault to store and retrieve credentials for Azure Database for PostgreSQL server. 请确保启用 Key Vault 软删除。Ensure Key Vault Soft Delete is enabled.

使用托管标识在 Azure Active Directory (AD) 中为 Azure 服务提供一个自动托管标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory (AD). 通过托管标识可向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally-managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure 应用服务)的基础主机上启用,但不会对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

8.2:预扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指南:Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure Database for PostgreSQL)的基础主机上启用,但不会对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Database for PostgreSQL), however it does not run on customer content.

预扫描要上传到非计算 Azure 资源的任何内容,例如应用服务、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Azure 无法访问你在这些实例中的数据。Pre-scan any content being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Azure cannot access your data in these instances.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure Database for PostgreSQL)的基础主机上启用,但不会对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Database for PostgreSQL), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

数据恢复Data recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back-ups

指南:Azure Database for PostgreSQL 会备份数据文件和事务日志。Guidance: Azure Database for PostgreSQL takes backups of the data files and the transaction log. 根据支持的最大存储大小,我们会进行完整备份和差异备份(最大 4 TB 的存储服务器)或快照备份(最大 16 TB 的存储服务器)。Depending on the supported maximum storage size, we either take full and differential backups (4 TB max storage servers) or snapshot backups (up to 16 TB max storage servers). 可以通过这些备份将服务器还原到所配置的备份保留期中的任意时间点。These backups allow you to restore a server to any point-in-time within your configured backup retention period. 默认的备份保留期为七天。The default backup retention period is seven days. 可以选择将其配置为长达 35 天。You can optionally configure it up to 35 days. 所有备份都使用 AES 256 位加密进行加密。All backups are encrypted using AES 256-bit encryption.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Azure 策略: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps