Azure Database for PostgreSQL 的 Azure Policy 法规合规性控制措施Azure Policy Regulatory Compliance controls for Azure Database for PostgreSQL

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控制措施”提供 Azure 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出 Azure Database for PostgreSQL 的“符合域”和“安全控制措施” 。This page lists the compliance domains and security controls for Azure Database for PostgreSQL. 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准Azure Security Benchmark

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
数据保护Data Protection 4.44.4 加密传输中的所有敏感信息Encrypt all sensitive information in transit 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
数据恢复Data Recovery 9.19.1 确保定期执行自动备份Ensure regular automated back ups 应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 1.0.01.0.0
数据恢复Data Recovery 9.29.2 执行完整的系统备份并备份所有客户管理的密钥Perform complete system backups and backup any customer managed keys 应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 1.0.01.0.0

CIS Azure 基础基准检验CIS Azure Foundations Benchmark

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
数据库服务Database Services 4.124.12 确保 PostgreSQL 数据库服务器的服务器参数“log_checkpoints”设置为“ON”Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server 应为 PostgreSQL 数据库服务器启用“记录检查点”Log checkpoints should be enabled for PostgreSQL database servers 1.0.01.0.0
数据库服务Database Services 4.134.13 确保 PostgreSQL 数据库服务器的“强制 SSL 连接”设置为“已启用”Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
数据库服务Database Services 4.144.14 确保 PostgreSQL 数据库服务器的服务器参数“log_connections”设置为“ON”Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server 应为 PostgreSQL 数据库服务器启用“记录连接”Log connections should be enabled for PostgreSQL database servers 1.0.01.0.0
数据库服务Database Services 4.154.15 确保 PostgreSQL 数据库服务器的服务器参数“log_disconnections”设置为“ON”Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server 应为 PostgreSQL 数据库服务器记录断开连接Disconnections should be logged for PostgreSQL database servers. 1.0.01.0.0
数据库服务Database Services 4.174.17 确保 PostgreSQL 数据库服务器的服务器参数“connection_throttling”设置为“ON”Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server 应为 PostgreSQL 数据库服务器启用连接限制Connection throttling should be enabled for PostgreSQL database servers 1.0.01.0.0

HIPAA HITRUST 9.2HIPAA HITRUST 9.2

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
网络连接控制Network Connection Control 0809.01n2Organizational.1234 - 01.n0809.01n2Organizational.1234 - 01.n 通过每个网络访问点或外部电信服务托管接口的防火墙和其他网络相关限制,根据组织的访问控制策略来控制网络流量。Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
网络连接控制Network Connection Control 0810.01n2Organizational.5 - 01.n0810.01n2Organizational.5 - 01.n 传输的信息是安全的,并且至少在开放的公用网络上已加密。Transmitted information is secured and, at a minimum, encrypted over open, public networks. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
网络连接控制Network Connection Control 0811.01n2Organizational.6 - 01.n0811.01n2Organizational.6 - 01.n 记录流量流策略的例外情况(包括支持性任务/业务需求、例外情况持续时间),并至少每年审查一次;当明确的任务/业务需求不再支持流量流策略例外情况时,该项例外会被删除。Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
网络连接控制Network Connection Control 0812.01n2Organizational.8 - 01.n0812.01n2Organizational.8 - 01.n 不允许建立非远程连接的远程设备与外部(远程)资源进行通信。Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
网络连接控制Network Connection Control 0814.01n1Organizational.12 - 01.n0814.01n1Organizational.12 - 01.n 根据访问控制策略以及临床和商业应用程序的要求,使用托管接口上的“默认拒绝,出现例外情况时允许”策略来限制用户连接到内部网络的能力。The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
识别与外部各方相关的风险Identification of Risks Related to External Parties 1450.05i2Organizational.2 - 05.i1450.05i2Organizational.2 - 05.i 组织通过执行年度审查来获得令人满意的保证,即保证其信息供应链(包括其信息供应链所依赖的所有合作伙伴/第三方提供商)中存在合理的信息安全性。The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0
备份Back-up 1618.09l1Organizational.45 - 09.l1618.09l1Organizational.45 - 09.l 备份存储在一个物理上安全的远程位置,该位置足够远,可使其合理地免受主站点上数据损坏的影响,并且存在合理的物理和环境控制,以确保它们在远程位置受到保护。The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. 应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 1.0.01.0.0
备份Back-up 1623.09l2Organizational.4 - 09.l1623.09l2Organizational.4 - 09.l 涵盖的信息以加密的格式进行备份,以确保机密性。Covered information is backed-up in an encrypted format to ensure confidentiality. 应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 1.0.01.0.0
备份Back-up 1626.09l3Organizational.5 - 09.l1626.09l3Organizational.5 - 09.l 组织确保在移动服务器之前可使用所涵盖信息的当前可检索副本。The organization ensures a current, retrievable copy of covered information is available before movement of servers. 应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 1.0.01.0.0
在线事务On-line Transactions 0947.09y2Organizational.2 - 09.y0947.09y2Organizational.2 - 09.y 组织确保事务详细信息存储在任何可公开访问的环境之外(例如,存储在组织 Intranet 上的存储平台上),并且不会在可直接通过 Internet 访问的存储媒体上保留和公开。The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 1.0.01.0.0

后续步骤Next steps