使用 REST API 在 Azure Policy 中配置安全策略Configure a security policy in Azure Policy using the REST API

Azure 安全中心与 Azure Policy 实现了本机集成,借助它,可以利用 Azure Policy 的 REST API 来创建策略分配。As part of the native integration with Azure Policy, Azure Security Center enables you to take advantage Azure Policy’s REST API to create policy assignments. 以下说明演示如何创建策略分配以及如何自定义现有的分配。The following instructions walk you through creation of policy assignments, as well as customization of existing assignments.

Azure Policy 中的重要概念:Important concepts in Azure Policy:

  • 策略定义 是一种规则A policy definition is a rule

  • 计划 是策略定义(规则)的集合An initiative is a collection of policy definitions (rules)

  • 分配 是将计划或策略应用于特定的范围(管理组、订阅等)An assignment is an application of an initiative or a policy to a specific scope (management group, subscription, etc.)

安全中心有一项内置计划,它包括中心内的所有安全策略。Security Center has a built-in initiative that includes all of its security policies. 要评估对 Azure 资源的安全中心策略,应对管理组或希望评估的订阅创建一个分配。To assess Security Center’s policies on your Azure resources, you should create an assignment on the management group, or subscription you want to assess.

内置计划默认启用所有安全中心策略。The built-in initiative has all of Security Center’s policies enabled by default. 可以选择禁用内置计划中的某些策略。You can choose to disable certain policies from the built-in initiative. 例如,若要应用除 Web 应用程序防火墙之外的所有安全中心策略,请将策略的效果参数的值更改为“禁用” 。For example, to apply all of Security Center’s policies except web application firewall, change the value of the policy’s effect parameter to Disabled.

API 示例API examples

在下面的示例中,替换以下三个变量:In the following examples, replace these variables:

  • {scope} ,用于输入要应用策略的管理组或订阅的名称。{scope} enter the name of the management group or subscription to which you're applying the policy.
  • {policyAssignmentName} ,用于输入 相关策略分配的名称{policyAssignmentName} enter the name of the relevant policy assignment.
  • {name} ,用于输入你的名字或批准策略更改的管理员的名字。{name} enter your name, or the name of the administrator who approved the policy change.

本示例演示如何对订阅或管理组分配内置的安全中心计划This example shows you how to assign the built-in Security Center initiative on a subscription or management group

   PUT  
   https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

   Request Body (JSON) 

   { 

     "properties":{ 

   "displayName":"Enable Monitoring in Azure Security Center", 

   "metadata":{ 

   "assignedBy":"{Name}" 

   }, 

   "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 

   "parameters":{}, 

   } 

   } 

本示例演示如何对订阅分配内置的安全中心计划,且禁用以下策略:This example shows you how to assign the built-in Security Center initiative on a subscription, with the following policies disabled:

  • 系统更新 ("systemUpdatesMonitoringEffect")System updates (“systemUpdatesMonitoringEffect”)

  • 安全配置 ("systemConfigurationsMonitoringEffect")Security configurations ("systemConfigurationsMonitoringEffect")

  • 终结点保护 ("endpointProtectionMonitoringEffect")Endpoint protection ("endpointProtectionMonitoringEffect")

   PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 
   
   Request Body (JSON) 
   
   { 
   
     "properties":{ 
   
   "displayName":"Enable Monitoring in Azure Security Center", 
   
   "metadata":{ 
   
   "assignedBy":"{Name}" 
   
   }, 
   
   "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 
   
   "parameters":{ 
   
   "systemUpdatesMonitoringEffect":{"value":"Disabled"}, 
   
   "systemConfigurationsMonitoringEffect":{"value":"Disabled"}, 
   
   "endpointProtectionMonitoringEffect":{"value":"Disabled"}, 
   
   }, 
   
    } 
   
   } 

此示例演示如何删除分配:This example shows you how to remove an assignment:

   DELETE   
   https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

策略名引用 Policy names reference

安全中心内的策略名Policy name in Security Center Azure Policy 中显示的策略名Policy name displayed in Azure Policy 策略效果参数名Policy effect parameter name
SQL 加密SQL Encryption 监视 Azure 安全中心内未加密的 SQL 数据库Monitor unencrypted SQL database in Azure Security Center sqlEncryptionMonitoringEffectsqlEncryptionMonitoringEffect
SQL 审核SQL Auditing 监视 Azure 安全中心内未审核的 SQL 数据库Monitor unaudited SQL database in Azure Security Center sqlAuditingMonitoringEffectsqlAuditingMonitoringEffect
系统更新System updates 监视 Azure 安全中心内系统更新的缺失情况Monitor missing system updates in Azure Security Center systemUpdatesMonitoringEffectsystemUpdatesMonitoringEffect
存储加密Storage encryption 审核存储帐户是否缺少 blob 加密Audit missing blob encryption for storage accounts storageEncryptionMonitoringEffectstorageEncryptionMonitoringEffect
JIT 网络访问JIT Network access 监视 Azure 安全中心内可能的网络实时 (JIT) 访问Monitor possible network just-in-time (JIT) access in Azure Security Center jitNetworkAccessMonitoringEffectjitNetworkAccessMonitoringEffect
自适应应用程序控制Adaptive application controls 监视 Azure 安全中心内列入允许列表的可能的应用Monitor possible app allow lists in Azure Security Center adaptiveApplicationControlsMonitoringEffectadaptiveApplicationControlsMonitoringEffect
网络安全组Network security groups 监视 Azure 安全中心内规则较宽松的网络访问Monitor permissive network access in Azure Security Center networkSecurityGroupsMonitoringEffectnetworkSecurityGroupsMonitoringEffect
安全配置Security configurations 监视 Azure 安全中心的 OS 漏洞Monitor OS vulnerabilities in Azure Security Center systemConfigurationsMonitoringEffectsystemConfigurationsMonitoringEffect
终结点保护Endpoint protection 监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center endpointProtectionMonitoringEffectendpointProtectionMonitoringEffect
磁盘加密Disk encryption 监视 Azure 安全中心内未加密的 VM 磁盘Monitor unencrypted VM Disks in Azure Security Center diskEncryptionMonitoringEffectdiskEncryptionMonitoringEffect
漏洞评估Vulnerability assessment 监视 Azure 安全中心的 VM 漏洞Monitor VM Vulnerabilities in Azure Security Center vulnerabilityAssessmentMonitoringEffectvulnerabilityAssessmentMonitoringEffect
Web 应用程序防火墙Web application firewall 监视 Azure 安全中心内未受保护的 Web 应用程序Monitor unprotected web application in Azure Security Center webApplicationFirewallMonitoringEffectwebApplicationFirewallMonitoringEffect
下一代防火墙Next generation firewall 监视 Azure 安全中心内未受保护的网络终结点Monitor unprotected network endpoints in Azure Security Center

后续步骤Next steps

其他相关材料,请参阅以下文章:For other related material, see the following articles: