适用于 Azure Database for PostgreSQL 单一服务器的 Azure 安全基线Azure security baseline for Azure Database for PostgreSQL - Single Server

此安全基线将 Azure 安全基准版本 1.0 中的指导应用于 Azure Database for PostgreSQL - 单一服务器。This security baseline applies guidance from the Azure Security Benchmark version1.0 to Azure Database for PostgreSQL - Single Server. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于 Azure Database for PostgreSQL - 单一服务器的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Database for PostgreSQL - Single Server.

备注

排除了不适用于 Azure Database for PostgreSQL - 单一服务器或属于 Azure 职责范围的控制。Controls not applicable to Azure Database for PostgreSQL - Single Server, or for which the responsibility is Azure's, have been excluded. 若要了解 Azure Database for PostgreSQL - 单一服务器如何完全映射到 Azure 安全基准,请参阅完整的 Azure Database for PostgreSQL - 单一服务器安全基线映射文件To see how Azure Database for PostgreSQL - Single Server completely maps to the Azure Security Benchmark, see the full Azure Database for PostgreSQL - Single Server security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指南:使用专用终结点为 Azure Database for PostgreSQL 配置专用链接。Guidance: Configure Private Link for Azure Database for PostgreSQL with Private Endpoints. 使用专用链接可以通过专用终结点连接到 Azure 中的各种 PaaS 服务。Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure 专用链接实质上是将 Azure 服务引入专用虚拟网络 (VNet) 中。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). 虚拟网络与 PostgreSQL 实例之间的流量将遍历 Microsoft 主干网络。Traffic between your virtual network and PostgreSQL instance travels the Microsoft backbone network.

或者,你可以使用虚拟网络服务终结点保护和限制对 Azure Database for PostgreSQL 实现的网络访问。Alternatively, you may use Virtual Network Service Endpoints to protect and limit network access to your Azure Database for PostgreSQL implementations. 虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure Database for PostgreSQL 服务器接受从虚拟网络中的特定子网发送的通信。Virtual network rules are one firewall security feature that controls whether your Azure Database for PostgreSQL server accepts communications that are sent from particular subnets in virtual networks.

还可以使用防火墙规则保护 Azure Database for PostgreSQL 服务器。You may also secure your Azure Database for PostgreSQL server with firewall rules. 在指定哪些计算机具有权限之前,服务器防火墙将禁止所有对数据库服务器的访问。The server firewall prevents all access to your database server until you specify which computers have permission. 要配置防火墙,请创建防火墙规则,以指定可接受的 IP 地址的范围。To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. 可以在服务器级别创建防火墙规则。You can create firewall rules at the server level.

责任:客户Responsibility: Customer

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.DBforPostgreSQLAzure Policy built-in definitions - Microsoft.DBforPostgreSQL:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为 PostgreSQL 服务器启用专用终结点Private endpoint should be enabled for PostgreSQL servers 专用终结点连接通过启用到 Azure Database for PostgreSQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2

1.2:监视并记录虚拟网络、子网和网络接口的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

指南:Azure Database for PostgreSQL 实例在专用终结点中受到保护时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for PostgreSQL instance is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 可以使用网络安全组 (NSG) 来降低数据外泄的风险。You can use a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.5:记录网络数据包1.5: Record network packets

指南:Azure Database for PostgreSQL 实例在专用终结点中受到保护时,可以在同一虚拟网络中部署虚拟机。Guidance: When your Azure Database for PostgreSQL instance is secured to a private endpoint, you can deploy virtual machines in the same virtual network. 随后可以配置网络安全组 (NSG) 来降低数据外泄的风险。You can then configure a network security group (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到存储帐户以进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来深入了解 Azure 云中的流量流。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.8:最大程度降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指南:对于需要访问 Azure Database for PostgreSQL 实例的资源,请使用虚拟网络服务标记来定义网络安全组或 Azure 防火墙上的网络访问控制。Guidance: For resources that need access to your Azure Database for PostgreSQL instances, use virtual network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应“源”或“目标”字段中指定服务标记名称,可允许或拒绝相应服务的流量。By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

注意:Azure Database for PostgreSQL 使用“Microsoft.Sql”服务标记。Note: Azure Database for PostgreSQL uses the "Microsoft.Sql" service tag.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指南:通过 Azure Policy 为与 Azure Database for PostgreSQL 实例关联的网络设置和网络资源定义和实现标准安全配置。Guidance: Define and implement standard security configurations for network settings and network resources associated with your Azure Database for PostgreSQL instances with Azure Policy. 使用“Microsoft.DBforPostgreSQL”和“Microsoft.Network”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for PostgreSQL 实例的网络配置。Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Database for PostgreSQL instances. 还可以使用与网络或 Azure Database for PostgreSQL 实例相关的内置策略定义,例如:You may also make use of built-in policy definitions related to networking or your Azure Database for PostgreSQL instances, such as:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.10:记录流量配置规则1.10: Document traffic configuration rules

指南:对与 Azure Database for PostgreSQL 实例的网络安全和流量流相关的资源使用标记,以提供元数据和逻辑组织。Guidance: Use tags for resources related to network security and traffic flow for your Azure Database for PostgreSQL instances to provide metadata and logical organization.

使用与标记相关的任何内置 Azure Policy 定义(如“需要标记及其值”),以确保使用标记创建所有资源并向你告知现有的未标记资源。Use any of the built-in Azure Policy definitions related to tagging, such as, "Require tag and its value," to ensure that all resources are created with tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.11:使用自动化工具监视网络资源配置并检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指南:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Database for PostgreSQL 实例相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Database for PostgreSQL instances. 在 Azure Monitor 中创建警报,使其在关键网络资源发生更改时触发。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

日志记录和监视Logging and Monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指南:启用诊断设置和服务器日志,并引入日志来聚合 Azure Database for PostgreSQL 实例生成的安全数据。Guidance: Enable Diagnostic Settings and Server Logs and ingest logs to aggregate security data generated by your Azure Database for PostgreSQL instances. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. 或者,可以启用数据并将其加入第三方 SIEM。Alternatively, you may enable and on-board data to a third-party SIEM.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指南:在 Azure Database for PostgreSQL 实例上启用诊断设置,以便访问审核、安全和资源日志。Guidance: Enable Diagnostic Settings on your Azure Database for PostgreSQL instances for access to audit, security, and resource logs. 请确保专门启用了 PostgreSQL 审核日志。Ensure that you specifically enable the PostgreSQL Audit log. 自动可用的活动日志包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. 还可以启用 Azure 活动日志诊断设置,并将日志发送到相同的 Log Analytics 工作区或存储帐户。You may also enable Azure Activity Log Diagnostic Settings and send the logs to the same Log Analytics workspace or Storage Account.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,对于用于保存 Azure Database for PostgreSQL 日志的 Log Analytics 工作区,根据组织的合规性法规设置保留期。Guidance: Within Azure Monitor, for the Log Analytics Workspace being used to hold your Azure Database for PostgreSQL logs, set the retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.6:监视和查看日志2.6: Monitor and review logs

指南:分析和监视 Azure Database for PostgreSQL 实例的日志中是否存在异常行为。Guidance: Analyze and monitor logs from your Azure Database for PostgreSQL instances for anomalous behavior. 使用 Azure Monitor 的 Log Analytics 查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics to review logs and perform queries on log data. 也可以启用第三方 SIEM 并将数据载入其中。Alternatively, you may enable and on-board data to a third party SIEM.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

标识和访问控制Identity and Access Control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南:维护对 Azure Database for PostgreSQL 实例的控制平面(例如 Azure 门户)拥有管理访问权限的用户帐户清单。Guidance: Maintain an inventory of the user accounts that have administrative access to the control plane (e.g. Azure portal) of your Azure Database for PostgreSQL instances. 此外,还需维护对 Azure Database for PostgreSQL 实例的数据平面(在数据库本身之内)拥有访问权限的管理帐户清单。In addition, maintain an inventory of the administrative accounts that have access to the data plane (within the database itself) of your Azure Database for PostgreSQL instances. (创建 PostgreSQL 服务器时,需为管理员用户提供凭据。(When creating the PostgreSQL server, you provide credentials for an administrator user. 此管理员可用于创建其他 PostgreSQL 用户。)This administrator can be used to create additional PostgreSQL users.)

Azure Database for PostgreSQL 不支持内置基于角色的访问控制,但可以基于特定的资源提供程序操作来创建自定义角色。Azure Database for PostgreSQL does not support built-in role-based access control, but you can create custom roles based on specific resource provider operations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure Active Directory (Azure AD) 和 Azure Database for PostgreSQL 没有默认密码的概念。Guidance: Azure Active Directory (Azure AD) and Azure Database for PostgreSQL do not have the concept of default passwords.

创建 Azure Database for PostgreSQL 资源本身时,Azure 会强制创建具有强密码的管理用户。Upon creation of the Azure Database for PostgreSQL resource itself, Azure forces the creation of an administrative user with a strong password. 但是,创建了 PostgreSQL 实例后,便可以使用所创建的第一个服务器管理员帐户创建其他用户并向他们授予管理访问权限。However, once the PostgreSQL instance has been created, you may use the first server admin account you created account to create additional users and grant administrative access to them. 创建这些帐户时,请确保为每个帐户配置不同的强密码。When creating these accounts, ensure you configure a different, strong password for each account.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:根据可访问 Azure Database for PostgreSQL 实例的专用管理帐户的用法,创建标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts that have access to your Azure Database for PostgreSQL instances. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and access management to monitor the number of administrative accounts.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证,并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Azure Security Center Identity and Access Management recommendations. 使用 Azure AD 令牌登录数据库时,你可以要求对数据库登录进行多重身份验证。When utilizing Azure AD tokens for signing into your database, this allows you to require multifactor authentication for database sign-ins.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行门户和 Azure 资源管理器访问。Guidance: Use Conditional Access Named Locations to allow portal and Azure Resource Manager access from only specific logical groupings of IP address ranges or countries/regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会进行加盐操作、哈希操作并安全地存储用户凭据。Azure AD also salts, hashes, and securely stores user credentials.

要登录 Azure Database for PostgreSQL,建议使用 Azure AD 和 Azure AD 令牌进行连接。For signing into Azure Database for PostgreSQL, it is recommended to use Azure AD and use an Azure AD token to connect. 使用 Azure AD 令牌时,支持不同的方法,如 Azure AD 用户、Azure AD 组或连接到数据库的 Azure AD 应用程序。When using an Azure AD token, different methods are supported, such as an Azure AD user, an Azure AD group, or an Azure AD application connecting to the database.

Azure AD 凭据还可以用于在管理平面级别(例如,Azure 门户)进行管理,以控制 PostgreSQL 管理员帐户。Azure AD credentials may also be used for administration at the management plane level (e.g. the Azure portal) to control PostgreSQL admin accounts.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:检查 Azure Active Directory (Azure AD) 日志,以帮助发现可能包含具有 Azure Database for PostgreSQL 管理角色的陈旧帐户。Guidance: Review the Azure Active Directory (Azure AD) logs to help discover stale accounts which can include those with Azure Database for PostgreSQL administrative roles. 此外,使用 Azure 标识访问评审可高效管理组成员身份、对可用于访问 Azure Database for PostgreSQL 的企业应用程序的访问权限以及角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications that may be used to access Azure Database for PostgreSQL, and role assignments. 应定期(例如每 90 天一次)评审用户访问权限,以确保正确用户持续拥有访问权限。User access should be reviewed on a regular basis such as every 90 days to make sure only the right Users have continued access.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:为 Azure Database for PostgreSQL 和 Azure Active Directory (Azure AD) 启用诊断设置,将所有日志都发送到 Log Analytics 工作区。Guidance: Enable Diagnostic Settings for Azure Database for PostgreSQL and Azure Active Directory (Azure AD), sending all logs to a Log Analytics workspace. 在 Log Analytics 中配置所需警报(例如失败的身份验证尝试)。Configure desired alerts (such as failed authentication attempts) within Log Analytics.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指南:使用标记可帮助跟踪存储或处理敏感信息的 Azure Database for PostgreSQL 实例或相关资源。Guidance: Use tags to assist in tracking Azure Database for PostgreSQL instances or related resources that store or process sensitive information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指南:为开发、测试和生产实现单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 结合使用专用链接、服务终结点和/或防火墙规则,以隔离和限制对 Azure Database for PostgreSQL 实例的网络访问。Use a combination of Private Link, Service Endpoints, and/or firewall rules to isolate and limit network access to your Azure Database for PostgreSQL instances.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指南:使用 Azure 虚拟机访问 Azure Database for PostgreSQL 实例时,请使用专用链接、PostgreSQL 网络配置、网络安全组和服务标记来降低数据外泄的可能性。Guidance: When using Azure Virtual machines to access Azure Database for PostgreSQL instances, make use of Private Link, PostgreSQL network configurations, network security groups, and service tags to mitigate the possibility of data exfiltration.

Azure 管理 Azure Database for PostgreSQL 的底层基础结构,并实施了严格的控制来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for Azure Database for PostgreSQL and has implemented strict controls to prevent the loss or exposure of customer data.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指南:Azure Database for PostgreSQL 支持使用传输层安全性 (TLS)(以前称为安全套接字层 (SSL))将 PostgreSQL 服务器连接到客户端应用程序。Guidance: Azure Database for PostgreSQL supports connecting your PostgreSQL server to client applications using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 TLS 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing TLS connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application. 在 Azure 门户中,确保默认情况下为所有 Azure Database for PostgreSQL 实例都启用了“强制执行 SSL 连接”。In the Azure portal, ensure "Enforce SSL connection" is enabled for all of your Azure Database for PostgreSQL instances by default.

目前,Azure Database for PostgreSQL 支持的 TLS 版本为 TLS 1.0、TLS 1.1、TLS 1.2。Currently the TLS versions supported for Azure Database for PostgreSQL are TLS 1.0, TLS 1.1, TLS 1.2.

责任:共享Responsibility: Shared

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.DBforPostgreSQLAzure Policy built-in definitions - Microsoft.DBforPostgreSQL:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对 Azure Database for PostgreSQL 控制平面(如 Azure 门户)的访问。Guidance: Use Azure role-based access control (Azure RBAC) to control access to the Azure Database for PostgreSQL control plane (e.g. Azure portal). 对于数据平面访问(在数据库本身内),使用 SQL 查询创建用户并配置用户权限。For data plane access (within the database itself), use SQL queries to create users and configure user permissions. Azure RBAC 不影响数据库中的用户权限。Azure RBAC does not affect user permissions within the database.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指南:结合使用 Azure Monitor 与 Azure 活动,以创建在 Azure Database for PostgreSQL 的生产实例和其他关键或相关资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Azure Database for PostgreSQL and other critical or related resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

漏洞管理Vulnerability Management

有关详细信息,请参阅 Azure 安全基线: 漏洞管理。For more information, see the Azure Security Benchmark: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:请遵循 Azure 安全中心关于保护 Azure Database for PostgreSQL 和相关资源的建议。Guidance: Follow recommendations from Azure Security Center on securing your Azure Database for PostgreSQL and related resources.

Azure 对支持 Azure Database for PostgreSQL 的基础系统执行漏洞管理。Azure performs vulnerability management on the underlying systems that support Azure Database for PostgreSQL.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询和发现订阅中的所有资源(包括 Azure Database for PostgreSQL 实例)。Guidance: Use Azure Resource Graph to query and discover all resources (including Azure Database for PostgreSQL instances) within your subscriptions. 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.2:维护资产元数据6.2: Maintain asset metadata

指南:将标记应用于 Azure Database for PostgreSQL 实例和其他相关资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure Database for PostgreSQL instances and other related resources giving metadata to logically organize them into a taxonomy.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:使用标记、管理组和单独的订阅(如果适用)来组织和跟踪 Azure Database for PostgreSQL 实例和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Database for PostgreSQL instances and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s).

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指南:使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器进行交互的能力。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. 这可以防止在高安全环境中创建和更改资源,如包含敏感信息的 Azure Database for PostgreSQL 实例。This can prevent the creation and changes to resources within a high security environment, such as instances of Azure Database for PostgreSQL containing sensitive information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

安全配置Secure Configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指南:通过 Azure Policy 为 Azure Database for PostgreSQL 实例定义和实现标准安全配置。Guidance: Define and implement standard security configurations for your Azure Database for PostgreSQL instances with Azure Policy. 使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Database for PostgreSQL 实例的网络配置。Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to audit or enforce the network configuration of your Azure Database for PostgreSQL instances. 还可以使用与 Azure Database for PostgreSQL 实例相关的内置策略定义,例如:You may also make use of built-in policy definitions related to your Azure Database for PostgreSQL instances, such as:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指南:如果对 Azure Database for PostgreSQL 实例和相关资源使用自定义 Azure Policy 定义,请使用 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions for your Azure Database for PostgreSQL instances and related resources, use Azure Repos to securely store and manage your code.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指南:使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核和强制执行系统配置,并针对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指南:使用“Microsoft.DBforPostgreSQL”命名空间中的 Azure Policy 别名创建自定义策略,以审核和强制执行系统配置,并针对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.DBforPostgreSQL" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy [审核]、[拒绝] 和 [不存在时部署] 为 Azure Database for PostgreSQL 实例和相关资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Database for PostgreSQL instances and related resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:Azure Database for PostgreSQL 服务器支持通过 Azure Active Directory (Azure AD) 身份验证访问数据库。Guidance: Azure Database for PostgreSQL server supports Azure Active Directory (Azure AD) authentication to access databases. 创建 Azure Database for PostgreSQL 服务器时,需要为管理员用户提供凭据。While creating the Azure Database for PostgreSQL server, you provide credentials for an administrator user. 此管理员可用于创建其他数据库用户。This administrator can be used to create additional database users.

对于在 Azure 应用服务上运行的用于访问 Azure Database for PostgreSQL 服务器的 Azure 虚拟机或 Web 应用程序,请结合使用托管服务标识与 Azure Key Vault ,以存储和检索 Azure Database for PostgreSQL 服务器的凭据。For Azure Virtual Machines or web applications running on Azure App Service being used to access your Azure Database for PostgreSQL server, use Managed Service Identity in conjunction with Azure Key Vault to store and retrieve credentials for Azure Database for PostgreSQL server. 确保启用 Key Vault 软删除。Ensure Key Vault Soft Delete is enabled.

使用托管标识在 Azure AD 中为 Azure 服务提供自动托管标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

恶意软件防护Malware Defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware Defense.

8.2:预扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指南:Microsoft 反恶意软件会在支持 Azure 服务(例如,Azure Database for PostgreSQL)的基础主机上启用,但不会对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Database for PostgreSQL), however it does not run on customer content.

预扫描要上传到非计算 Azure 资源的任何内容,例如应用服务、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Azure 无法访问你在这些实例中的数据。Pre-scan any content being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Azure cannot access your data in these instances.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

数据恢复Data Recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back-ups

指南:Azure Database for PostgreSQL 会备份数据文件和事务日志。Guidance: Azure Database for PostgreSQL takes backups of the data files and the transaction log. 根据支持的最大存储大小,我们会进行完整备份和差异备份(最大 4 TB 的存储服务器)或快照备份(最大 16 TB 的存储服务器)。Depending on the supported maximum storage size, we either take full and differential backups (4 TB max storage servers) or snapshot backups (up to 16 TB max storage servers). 可以通过这些备份将服务器还原到所配置的备份保留期中的任意时间点。These backups allow you to restore a server to any point-in-time within your configured backup retention period. 默认的备份保留期为七天。The default backup retention period is seven days. 可以选择将其配置为长达 35 天。You can optionally configure it up to 35 days. 所有备份都使用 AES 256 位加密进行加密。All backups are encrypted using AES 256-bit encryption.

责任:共享Responsibility: Shared

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.DBforPostgreSQLAzure Policy built-in definitions - Microsoft.DBforPostgreSQL:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指南:Azure Database for PostgreSQL 可自动创建服务器备份并将其存储在本地冗余或异地冗余存储中,具体取决于用户的选择。Guidance: Azure Database for PostgreSQL automatically creates server backups and stores them in either locally-redundant or geo-redundant storage, according to the user's choice. 备份可以用来将服务器还原到某个时间点。Backups can be used to restore your server to a point-in-time. 备份和还原是任何业务连续性策略的基本组成部分,因为它们可以保护数据免遭意外损坏或删除。Backup and restore are an essential part of any business continuity strategy because they protect your data from accidental corruption or deletion.

如果使用 Azure Key Vault 存储 Azure Database for PostgreSQL 实例的凭据,请确保定期自动备份密钥。If using Azure Key Vault to store credentials for your Azure Database for PostgreSQL instances, ensure regular automated backups of your keys.

责任:共享Responsibility: Shared

Azure 安全中心监视:Azure 安全基准是安全中心的默认策略计划,并且是安全中心的建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure Policy 定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要相关服务的 Azure Defender 计划。Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy 内置定义 - Microsoft.DBforPostgreSQLAzure Policy built-in definitions - Microsoft.DBforPostgreSQL:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指南:在 Azure Database for PostgreSQL 中进行还原时,会根据原始服务器的备份创建新的服务器。Guidance: In Azure Database for PostgreSQL, performing a restore creates a new server from the original server's backups. 可以使用两种类型的还原:时间点还原和异地还原。There are two types of restore available: Point-in-time restore and Geo-restore. 时间点还原可以与任一备份冗余选项配合使用,所创建的新服务器与原始服务器位于同一区域。Point-in-time restore is available with either backup redundancy option and creates a new server in the same region as your original server. 异地还原只能在已将服务器配置为进行异地冗余存储的情况下使用,用于将服务器还原到另一区域。Geo-restore is available only if you configured your server for geo-redundant storage and it allows you to restore your server to a different region.

估计的恢复时间取决于若干因素,包括数据库大小、事务日志大小、网络带宽,以及在同一区域同时进行恢复的数据库总数。The estimated time of recovery depends on several factors including the database sizes, the transaction log size, the network bandwidth, and the total number of databases recovering in the same region at the same time. 恢复时间通常少于 12 小时。The recovery time is usually less than 12 hours.

定期测试 Azure Database for PostgreSQL 实例的还原。Periodically test restoration of your Azure Database for PostgreSQL instances.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指南:Azure Database for PostgreSQL 可以进行完整备份、差异备份和事务日志备份。Guidance: Azure Database for PostgreSQL takes full, differential, and transaction log backups. 可以通过这些备份将服务器还原到所配置的备份保留期中的任意时间点。These backups allow you to restore a server to any point-in-time within your configured backup retention period. 默认的备份保留期为七天。The default backup retention period is seven days. 可以选择将其配置为长达 35 天。You can optionally configure it up to 35 days. 所有备份都使用 AES 256 位加密进行加密。All backups are encrypted using AES 256-bit encryption.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的指标的置信度,以及对导致警报的活动背后存在恶意意图的置信度级别。The severity is based on how confident Security Center is in the finding or the metric used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Azure 策略:Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies:

https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

后续步骤Next steps