Azure 服务总线消息传递的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Service Bus Messaging

此页是 Azure 服务总线消息传递的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Service Bus Messaging. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure 服务总线消息传递Azure Service Bus Messaging

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应从服务总线命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace 服务总线客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 为了与最低权限安全模型保持一致,应在实体级别为队列和主题创建访问策略,以便仅提供对特定实体的访问权限To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
将服务总线的诊断设置部署到事件中心Deploy Diagnostic Settings for Service Bus to Event Hub 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将服务总线的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Service Bus to Log Analytics workspace 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

后续步骤Next steps