管理安全策略Manage security policies

本文介绍如何配置安全策略,以及如何在安全中心查看这些策略。This article explains how security policies are configured, and how to view them in Security Center.

谁可以编辑安全策略?Who can edit security policies?

你可以在 Azure Policy 门户中通过 REST API 或 Windows PowerShell 编辑安全策略。You can edit security policies through the Azure Policy portal, via REST API or using Windows PowerShell.

安全中心使用 Azure 基于角色的访问控制 (Azure RBAC),后者提供可分配到 Azure 用户、组和服务的内置角色。Security Center uses Azure role-based access control (Azure RBAC), which provides built-in roles you can assign to Azure users, groups, and services. 用户打开安全中心时,只能看到与他们可访问的资源相关的信息。When users open Security Center, they see only information related to the resources they can access. 这意味着,已为用户分配了资源订阅的所有者、参与者或读取者角色。 Which means users are assigned the role of owner, contributor, or reader to the resource's subscription. 还有两个特定的安全中心角色:There are also two specific Security Center roles:

  • 安全读取者:有权查看安全中心项,例如建议、警报、策略和运行状况。Security reader: Has rights to view Security Center items such as recommendations, alerts, policy, and health. 无法执行更改。Can't make changes.
  • 安全管理员:与安全读取者具有相同的查看权限。Security admin: Has the same view rights as security reader. 还可以更新安全策略并消除警报。Can also update the security policy and dismiss alerts.

管理安全策略Manage your security policies

要在安全中心内查看安全策略,请执行以下操作:To view your security policies in Security Center:

  1. 在“安全中心”仪表板中,选择“安全策略” 。In the Security Center dashboard, select Security policy.

    策略管理页面

    在“策略管理”屏幕中,可以看到管理组数、订阅数、工作区数以及管理组结构。In the Policy management screen, you can see the number of management groups, subscriptions, and workspaces as well as your management group structure.

  2. 选择想要查看其策略的订阅或管理组。Select the subscription or management group whose policies you want to view.

  3. 此时会显示该订阅或管理组的安全策略页。The security policy page for that subscription or management group appears. 其中显示了可用和已分配的策略。It shows the available and assigned policies.

    安全中心的“安全策略”页

    备注

    如果默认策略旁边有一个标签“MG 已继承”,则表示该策略已分配到某个管理组,并已由当前你正在查看的订阅继承。If there is a label "MG Inherited" alongside your default policy, it means that the policy has been assigned to a management group and inherited by the subscription you're viewing.

  4. 从此页提供的可用选项中进行选择:Choose from the available options on this page:

    1. 若要使用行业标准,请选择“添加更多标准”。To work with industry standards, select Add more standards.

    2. 要分配和管理自定义计划,请选择“添加自定义计划”。To assign and manage custom initiatives, select Add custom initiatives. 有关详细信息,请参阅使用自定义安全计划和策略For more information, see Using custom security initiatives and policies.

禁用安全策略和禁用建议Disable security policies and disable recommendations

如果安全计划触发与环境无关的建议,你可以阻止该建议再次出现。When your security initiative triggers a recommendation that's irrelevant for your environment, you can prevent that recommendation from appearing again. 若要禁用建议,请禁用生成该建议的特定策略。To disable a recommendation, disable the specific policy that generates the recommendation.

如果已经使用安全中心的合规工具应用了法规标准,而你想要禁用的建议是这项法规标准所要求的,那么,你想要禁用的建议仍将会出现。The recommendation you want to disable will still appear if it's required for a regulatory standard you've applied with Security Center's regulatory compliance tools. 如果该建议对于合规性来说是必要的,那么,即使已在内置计划中禁用了策略,法规标准计划中的策略仍将触发该建议。Even if you've disabled a policy in the built-in initiative, a policy in the regulatory standard's initiative will still trigger the recommendation if it's necessary for compliance. 你无法禁用法规标准计划中的策略。You can't disable policies from regulatory standard initiatives.

有关建议的详细信息,请参阅管理安全建议For more information about recommendations, see Managing security recommendations.

  1. 在安全中心的“策略和符合性”部分,选择“安全策略” 。In Security Center, from the Policy & Compliance section, select Security policy.

    在 Azure 安全中心启动策略管理过程

  2. 选择要禁用其建议的订阅或管理组。Select the subscription or management group for which you want to disable the recommendation.

    备注

    请记住,管理组将其策略应用于其订阅。Remember that a management group applies its policies to its subscriptions. 因此,如果禁用了某个订阅策略,而该订阅属于仍使用同一策略的管理组,则你将继续收到策略建议。Therefore, if you disable a subscription's policy, and the subscription belongs to a management group that still uses the same policy, then you will continue to receive the policy recommendations. 策略仍将应用于管理级别,但仍会生成建议。The policy will still be applied from the management level and the recommendations will still be generated.

  1. 选择“编辑分配”。Select Edit assignment.
  1. 在“参数”部分中,搜索调用要禁用的建议的策略,然后从下拉列表中选择“禁用”In the PARAMETERS section, search for the policy that invokes the recommendation that you want to disable, and from the dropdown list, select Disabled

    禁用策略

  2. 选择“保存” 。Select Save.

    备注

    禁用策略更改可能需要长达 12 小时才会生效。The disable policy changes can take up to 12 hours to take effect.

后续步骤Next steps

此页介绍了安全策略。This page explained security policies. 如需相关信息,请参阅以下页面:For related information, see the following pages: