安全控制:清单和资产管理Security Control: Inventory and Asset Management

清单和资产管理建议侧重于解决与主动管理(清点、跟踪和更正)所有 Azure 资源相关的问题,以便仅向已获授权的资源授予访问权限,并标识和删除未授权的资源和非管理资源。Inventory and Asset Management recommendations focus on addressing issues related to actively managing (inventory, track, and correct) all Azure resources so that only authorized resources are given access, and unauthorized and unmanaged resources are identified and removed.

6.1:使用自动化资产发现解决方案6.1: Use automated Asset Discovery solution

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.16.1 1.1、1.2、1.3、1.4、9.1、12.11.1, 1.2, 1.3, 1.4, 9.1, 12.1 客户Customer

使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

6.2:维护资产元数据6.2: Maintain asset metadata

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.26.2 1.51.5 客户Customer

将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.36.3 1.61.6 客户Customer

在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪资产。Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

6.4:定义并维护已获批 Azure 资源的清单6.4: Define and Maintain an inventory of approved Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.46.4 2.12.1 客户Customer

根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Create an inventory of approved Azure resources and approved software for compute resources as per our organizational needs.

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.56.5 2.3、2.42.3, 2.4 客户Customer

使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

使用 Azure Resource Graph 查询/发现订阅中的资源。Use Azure Resource Graph to query/discover resources within their subscription(s). 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

6.6:删除未批准的 Azure 资源和软件应用程序6.6: Remove unapproved Azure resources and software applications

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.66.6 2.52.5 客户Customer

使用 Azure 安全中心的文件完整性监视(更改跟踪)来识别虚拟机上安装的所有软件。Use Azure Security Center's File Integrity Monitoring (Change Tracking) to identify all software installed on Virtual Machines. 可以实现自己的未授权软件删除过程。You can implement your own process for removing unauthorized software. 还可以使用第三方解决方案来识别未获批软件。You can also use a third party solution to identify unapproved software.

6.7:仅使用已批准的应用程序6.7: Use only approved applications

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.76.7 2.62.6 客户Customer

使用 Azure 安全中心自适应应用程序控制确保仅执行已授权软件,并阻止所有未授权软件在 Azure 虚拟机上执行。Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

6.8:仅使用已批准的 Azure 服务6.8: Use only approved Azure services

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.86.8 2.62.6 客户Customer

使用 Azure Policy 限制可在环境中预配的服务。Use Azure Policy to restrict which services you can provision in your environment.

6.9:维护已获批软件的清单6.9: Maintain an inventory of approved software titles

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.96.9 2.72.7 客户Customer

使用 Azure 安全中心自适应应用程序控制指定规则可能适用或不适用的文件类型。Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to.

如果该方案不满足要求,则实施第三方解决方案。Implement third party solution if this does not meet the requirement.

6.10:限制用户在计算资源中执行脚本的功能6.10: Limit users' ability to execute scripts within compute resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.106.10 2.92.9 客户Customer

根据脚本的类型,可以使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Depending on the type of scripts, you may use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. 还可以利用 Azure 安全中心自适应应用程序控制来确保仅执行已授权软件,并阻止所有未授权软件在 Azure 虚拟机上执行。You can also leverage Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

6.11:以物理或逻辑方式隔离高风险应用程序6.11: Physically or logically segregate high risk applications

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
6.116.11 2.92.9 客户Customer

业务运营所需的软件可能会给组织带来更高的风险,应将其隔离在其自己的虚拟机和/或虚拟网络中,并通过 Azure 防火墙或网络安全组进行充分的保护。Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or Network Security Group.

后续步骤Next steps