Azure RBAC 最佳做法Best practices for Azure RBAC

本文介绍了使用 Azure 基于角色的访问控制 (Azure RBAC) 的一些最佳做法。This article describes some best practices for using Azure role-based access control (Azure RBAC). 这些最佳做法源自我们的 Azure RBAC 经验和客户经验。These best practices are derived from our experience with Azure RBAC and the experiences of customers like yourself.

仅授予用户所需的访问权限Only grant the access users need

使用 Azure RBAC,可以在团队中实现职责分离,仅向用户授予他们执行作业所需的访问权限。Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 请勿向每个人授予 Azure 订阅或资源的无限制权限,只能允许他们在特定的范围执行某些操作。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

规划访问控制策略时,最佳做法是授予用户完成工作所需的最低权限。When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. 即使最初看起来更方便操作,也应避免在更广泛的范围内分配更广泛的角色。Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. 创建自定义角色时,只包括用户需要的权限。When creating custom roles, only include the permissions users need. 通过限制角色和范围,可以对在安全主体受到入侵的情况下会面临风险的具体资源进行限制。By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.

下图显示了与 Azure RBAC 使用有关的建议模式。The following diagram shows a suggested pattern for using Azure RBAC.

Azure RBAC 和最低权限

有关如何分配角色的信息,请参阅使用 Azure 门户分配 Azure 角色For information about how to assign roles, see Assign Azure roles using the Azure portal.

限制订阅所有者的数量Limit the number of subscription owners

最多只能有 3 个订阅所有者,这样可降低被入侵的所有者做出违规行为的可能性。You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. 可以在 Azure 安全中心内监视此建议措施。This recommendation can be monitored in Azure Security Center. 有关安全中心内的其他标识和访问建议,请参阅安全建议 - 参考指南For other identity and access recommendations in Security Center, see Security recommendations - a reference guide.

使用 Azure AD Privileged Identity ManagementUse Azure AD Privileged Identity Management

为了保护特权帐户免受恶意网络攻击,可以使用 Azure Active Directory Privileged Identity Management (PIM) 来降低权限的暴露时间,并通过报表和警报增加对使用的可见性。To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM 提供对 Azure AD 和 Azure 资源的实时特权访问权限,有助于保护特权帐户。PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. 访问可能有时间限制,在超过时限后会自动撤销特权。Access can be time bound after which privileges are revoked automatically.

有关详细信息,请参阅什么是 Azure AD Privileged Identity Management?For more information, see What is Azure AD Privileged Identity Management?.

将角色分配给组,而不是用户Assign roles to groups, not users

为了使角色分配更易于管理,请避免将角色直接分配给用户。To make role assignments more manageable, avoid assigning roles directly to users. 而是将角色分配给组。Instead, assign roles to groups. 将角色分配给组而不是用户还有助于最大程度地减少角色分配的数量,每个订阅的角色分配数限制为 2,000Assigning roles to groups instead of users also helps minimize the number of role assignments, which has a limit of 2,000 role assignments per subscription.

后续步骤Next steps