安全控制:安全配置Security Control: Secure Configuration

建立、实现并主动管理(跟踪、报告、更正)Azure 资源的安全配置,防止攻击者利用易受攻击的服务和设置。Establish, implement, and actively manage (track, report on, correct) the security configuration of Azure resources in order to prevent attackers from exploiting vulnerable services and settings.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.17.1 5.15.1 客户Customer

使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的配置。Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. 你还可以使用内置的 Azure Policy 定义。You may also use built-in Azure Policy definitions.

此外,Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足/超过组织的安全要求。Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.

还可以使用来自 Azure 安全中心的建议作为 Azure 资源的安全配置基线。You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.27.2 5.15.1 客户Customer

使用 Azure 安全中心建议来维护所有计算资源上的安全配置。Use Azure Security Center recommendations to maintain security configurations on all compute resources. 此外,你可以使用自定义操作系统映像或 Azure 自动化 State Configuration来建立组织所需的操作系统的安全配置。Additionally, you may use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.37.3 5.25.2 客户Customer

使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. 此外,你可以使用 Azure 资源管理器模板维护组织所需的 Azure 资源的安全配置。In addition, you may use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.47.4 5.25.2 共享Shared

遵循 Azure 安全中心关于在 Azure 计算资源上执行漏洞评估的建议。Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure compute resources. 此外,你可以使用 Azure 资源管理器模板、自定义操作系统映像或 Azure 自动化 State Configuration 来维护组织所需的操作系统的安全配置。In addition, you may use Azure Resource Manager templates, custom operating system images or Azure Automation State configuration to maintain the security configuration of the operating system required by your organization. 结合 Azure 自动化 Desired State Configuration,Microsoft 虚拟机模板可能有助于满足和维护安全要求。The Microsoft virtual machine templates combined with the Azure Automation Desired State Configuration may assist in meeting and maintaining the security requirements.

另请注意,由 Microsoft 发布的 Azure 市场虚拟机映像由 Microsoft 管理和维护。Also, note that Azure Marketplace Virtual Machine Images published by Microsoft are managed and maintained by Microsoft.

7.5:安全存储自定义操作系统映像7.5: Securely store custom operating system images

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.57.5 5.35.3 客户Customer

如果使用自定义映像,请使用基于角色的访问控制 (RBAC) 以确保只有授权用户才能访问映像。If using custom images, use role-based access control (RBAC) to ensure only authorized users may access the images. 使用共享映像库,可以将映像共享给组织内的不同用户、服务主体或 AD 组。Using a Shared Image Gallery you can share your images to different users, service principals, or AD groups within your organization. 对于容器映像,请将其存储在 Azure 容器注册表中,并利用 RBAC 确保只有授权用户才能访问这些映像。For container images, store them in Azure Container Registry and leverage RBAC to ensure only authorized users may access the images.

7.6:部署 Azure 资源的配置管理工具7.6: Deploy configuration management tools for Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.67.6 5.45.4 客户Customer

使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的网络配置。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. 还可以使用与特定资源相关的内置策略定义。You may also make use of built-in policy definitions related to your specific resources. 此外,你也可以使用 Azure 自动化来部署配置更改。Additionally, you may use Azure Automation to deploy configuration changes.

7.7:部署操作系统的配置管理工具7.7: Deploy configuration management tools for operating systems

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.77.7 5.45.4 客户Customer

Azure Automation State Configuration 是一个配置管理服务,适用于任何云或本地数据中心内的 Desired State Configuration (DSC) 节点。Azure Automation State Configuration is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. 可以轻松登记计算机、为其分配声明性配置并查看显示每台计算机是否符合指定的所需状态的报告。You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.

7.8:为 Azure 资源实施自动配置监视7.8: Implement automated configuration monitoring for Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.87.8 5.55.5 客户Customer

使用 Azure 安全中心对 Azure 资源执行基线扫描。Use Azure Security Center to perform baseline scans for your Azure Resources. 此外,使用 Azure Policy 警告和审核 Azure 资源配置。Additionally, use Azure Policy to alert and audit Azure resource configurations.

7.9:为操作系统实施自动配置监视7.9: Implement automated configuration monitoring for operating systems

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.97.9 5.55.5 客户Customer

使用 Azure 安全中心对 OS 和容器的 Docker 设置执行基线扫描。Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers.

7.10:安全管理 Azure 机密7.10: Manage Azure secrets securely

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.107.10 13.113.1 客户Customer

将托管服务标识与 Azure Key Vault 结合使用,可以简化和保护云应用程序的机密管理。Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

7.11:安全自动管理标识7.11: Manage identities securely and automatically

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.117.11 4.14.1 客户Customer

使用托管标识在 Azure AD 中为 Azure 服务提供自动托管标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

7.12:消除意外的凭据透露7.12: Eliminate unintended credential exposure

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
7.127.12 18.1, 18.718.1, 18.7 客户Customer

实施凭据扫描程序来识别代码中的凭据。Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

后续步骤Next steps