Azure RBAC 最佳做法Best practices for Azure RBAC

本文介绍了使用 Azure 基于角色的访问控制 (Azure RBAC) 的一些最佳做法。This article describes some best practices for using Azure role-based access control (Azure RBAC). 这些最佳做法源自我们的 Azure RBAC 经验和客户经验。These best practices are derived from our experience with Azure RBAC and the experiences of customers like yourself.

仅授予用户所需的访问权限Only grant the access users need

使用 Azure RBAC,可以在团队中实现职责分离,仅向用户授予他们执行作业所需的访问权限。Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 请勿向每个人授予 Azure 订阅或资源的无限制权限,只能允许他们在特定的范围执行某些操作。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

规划访问控制策略时,最佳做法是授予用户完成工作所需的最低权限。When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. 下图显示了与 Azure RBAC 使用有关的建议模式。The following diagram shows a suggested pattern for using Azure RBAC.

Azure RBAC 和最低权限

有关如何添加角色分配的信息,请参阅使用 Azure 门户添加或删除 Azure 角色分配For information about how to add role assignments, see Add or remove Azure role assignments using the Azure portal.

限制订阅所有者的数量Limit the number of subscription owners

最多只能有 3 个订阅所有者,这样可降低被入侵的所有者做出违规行为的可能性。You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. 可以在 Azure 安全中心内监视此建议措施。This recommendation can be monitored in Azure Security Center.

使用 Azure AD Privileged Identity ManagementUse Azure AD Privileged Identity Management

为了保护特权帐户免受恶意网络攻击,可以使用 Azure Active Directory Privileged Identity Management (PIM) 来降低权限的暴露时间,并通过报表和警报增加对使用的可见性。To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM 提供对 Azure AD 和 Azure 资源的实时特权访问权限,有助于保护特权帐户。PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. 访问可能有时间限制,在超过时限后会自动撤销特权。Access can be time bound after which privileges are revoked automatically.

有关详细信息,请参阅什么是 Azure AD Privileged Identity Management?For more information, see What is Azure AD Privileged Identity Management?.

后续步骤Next steps