服务总线的 Azure 安全基线Azure security baseline for Service Bus

服务总线的 Azure 安全基线包含可帮助你改善部署安全状况的建议。The Azure Security Baseline for Service Bus contains recommendations that will help you improve the security posture of your deployment. 此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. 有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导 :服务总线与 Azure 专用链接服务的集成支持从绑定到虚拟网络的工作负荷(例如虚拟机)对消息传送功能进行安全的专用访问。Guidance : The integration of Service Bus with the Azure Private Link service enables secure private access to messaging capabilities from workloads such as virtual machines that are bound to virtual networks. 创建到服务总线命名空间的专用终结点连接。Create a private endpoint connection to your Service Bus namespace. 专用终结点使用虚拟网络中的专用 IP 地址将服务有效地接入虚拟网络中。The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. 发往服务的所有流量都可以通过该专用终结点路由,因此不需要网关、NAT 设备、ExpressRoute 或 VPN 连接或公共 IP 地址。All traffic to the service can be routed through that private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed.

还可以使用防火墙保护 Azure 服务总线命名空间。You can also secure your Azure Service Bus namespace by using firewalls. Azure 服务总线支持使用基于 IP 的访问控制来提供入站防火墙支持。Azure Service Bus supports IP-based access controls for inbound firewall support. 可以通过 Azure 门户、Azure 资源管理器模板、Azure CLI 或 Azure PowerShell 设置防火墙规则。You can set firewall rules by using the Azure portal, Azure Resource Manager templates, or through the Azure CLI or Azure PowerShell.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.2:监视并记录虚拟网络、子网和网络接口的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

指导 :如果使用 Azure 虚拟机来访问服务总线实体,请启用网络安全组 (NSG) 流日志,并将日志发送到存储帐户进行流量审核。Guidance : If using Azure virtual machines to access your Service Bus entities, enable network security group (NSG) flow logs and send logs into a storage account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

使用 Azure 安全中心并遵循网络保护建议来保护 Azure 中的服务总线资源。Use Azure Security Center and follow network protection recommendations to help secure your Service Bus resources in Azure.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.5:记录网络数据包1.5: Record network packets

指导 :如果使用 Azure 虚拟机来访问服务总线实体,则可以使用网络观察程序数据包捕获来调查异常活动。Guidance : If using Azure virtual machines to access your Service Bus entities, you can use Network Watcher packet capture to investigate anomalous activities.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导 :如果使用 Azure 虚拟机访问服务总线实体,请从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能。Guidance : If using Azure virtual machines to access your Service Bus entities, select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. 如果你的组织不需要基于有效负载检查的入侵检测和/或防护,你可以使用 Azure 服务总线的内置防火墙功能。If intrusion detection and/or prevention based on payload inspection is not required for your organization, you may use Azure Service Bus's built-in firewall feature. 可以使用防火墙规则,仅允许有限的 IP 地址范围或特定的 IP 地址对服务总线命名空间进行访问。You can limit access to your Service Bus namespace for a limited range of IP addresses, or a specific IP address by using Firewall rules.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导 :使用虚拟网络服务标记在网络安全组或 Azure 防火墙上定义网络访问控制,以便筛选发往或来自服务总线资源的流量。Guidance : Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall which filter traffic to and from Service Bus resources. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应源或目标字段中指定服务标记名称(例如 ServiceBus),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ServiceBus) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导 :使用 Azure Policy 为与 Azure 服务总线命名空间关联的网络资源定义和实施标准安全配置。Guidance : Define and implement standard security configurations for network resources associated with your Azure Service Bus namespaces with Azure Policy. 在“Microsoft.ServiceBus”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施服务总线命名空间的网络配置。Use Azure Policy aliases in the "Microsoft.ServiceBus" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Service Bus namespaces. 还可以使用与 Azure 服务总线相关的内置策略定义,例如:You may also make use of built-in policy definitions related to Azure Service Bus, such as:

  • 服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint
  • 应启用服务总线中的诊断日志Diagnostic logs in Service Bus should be enabled

如果内置定义不满足组织的需求,则还可以构造自定义策略定义。You may also construct custom policy definitions if the built-in definitions do not fit your organization's needs.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导 :对与你的服务总线命名空间关联的、与网络安全和流量流相关的虚拟网络和其他资源使用标记。Guidance : Use tags for virtual networks and other resources related to network security and traffic flow that are associated with your Service Bus namespaces. 对于各个网络安全组规则,请使用“说明”字段为允许流量进出与你的服务总线命名空间相关联的网络的任何规则指定业务需求、持续时间和其他描述性信息。For individual network security group rules, use the "Description" field to specify business need, duration, and other descriptive information for any rules that allow traffic to or from a network associated with your Service Bus namespaces.

使用与标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在现有资源不带标记时发出通知。Use any of the built-in Azure policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导 :使用 Azure 活动日志监视网络资源配置,并检测与 Azure 服务总线相关的网络资源的更改。Guidance : Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to Azure Service Bus. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导 :通过 Azure Monitor 引入日志来聚合由服务总线资源生成的安全数据。Guidance : Ingest logs via Azure Monitor to aggregate security data generated by Service Bus resources. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并配置 Azure 存储帐户以进行长期存储或存档存储。In Azure Monitor, use Log Analytics workspaces to query and perform analytics, configure Azure Storage accounts for long term or archival storage. 你还可以配置与服务总线相关的、将要发送到 Azure Sentinel 或第三方 SIEM 的日志。You can also configure logs related to Service Bus to be sent to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导 :启用你的 Azure 服务总线命名空间的诊断设置。Guidance : Enable Diagnostic settings for your Azure Service Bus namespace. Azure 服务总线当前支持活动和操作日志或诊断日志。Azure Service Bus currently supports activity and operational or diagnostic logs. 可以通过活动日志了解对作业执行的操作。Activity logs have information about operations done on a job. 可以通过诊断日志更详细地了解使用 API 或通过管理客户端使用语言 SDK 对命名空间执行的操作。Diagnostic logs provide richer information about operations and actions that are done against your namespace by using API, or through management clients using the language SDK. 具体而言,这些日志捕获操作类型,包括队列创建、所用的资源和操作状态。Specifically, these logs capture the operation type, including queue creation, resources used, and the status of the operation.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导 :在 Azure Monitor 中,根据组织的合规性规定设置 Log Analytics 工作区保留期,以捕获和查看与服务总线相关的事件。Guidance : Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations to capture and review Service Bus-related incidents.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

2.6:监视和查看日志2.6: Monitor and review logs

指导 :分析和监视日志中的异常行为,并定期查看与服务总线实体相关的结果。Guidance : Analyze and monitor logs for anomalous behavior and regularly review results related to your Service Bus entities. 使用 Azure Monitor 查看日志并对与服务总线相关的日志数据执行查询。Use Azure Monitor to review logs and perform queries on log data related to Service Bus.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导 :使用 Azure 安全中心和 Log Analytics 工作区监视安全日志和事件中的异常活动并发出警报。Guidance : Use Azure Security Center with Log Analytics workspace for monitoring and alerting on anomalous activity found in security logs and events. 另外,你还可以启用 Azure Sentinel 并将数据加入其中。Alternatively, you can also enable and on-board data to Azure Sentinel.

Azure 安全中心监视 :当前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导 :借助 Azure 基于角色的访问控制 (RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance : Azure role-based access control (RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组服务主体和托管标识。You can assign these roles to users, groups service principals and managed identities. 服务总线具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for Service Bus, these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导 :通过 Azure Active Directory (Azure AD) 控制对服务总线的控制平面访问。Guidance : Control plane access to Service Bus is controlled through Azure Active Directory (Azure AD). Azure AD 没有默认密码。Azure AD does not have the concept of default passwords.

可以使用托管标识、应用注册或共享访问签名通过 Azure AD 控制数据平面对服务总线的访问。Data plane access to Service Bus is controlled through Azure AD by using Managed Identities, App registrations, or shared access signatures. 共享访问签名由连接到服务总线命名空间的客户端使用,可以随时重新生成。Shared access signatures are used by the clients connecting to your Service Bus namespace and can be regenerated at any time.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南 :围绕专用管理帐户的使用创建标准操作程序。Guidance : Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription
  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription
  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

如果内置定义不满足组织的需求,则还可以构造自定义策略定义。You may also construct custom policy definitions if the built-in definitions do not fit your organization's needs.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.4:使用 Azure Active Directory 单一登录 (SSO)3.4: Use Azure Active Directory single sign-on (SSO)

指导 :Azure 基于 Azure Active Directory (Azure AD) 针对资源和应用程序提供了集成的访问控制管理功能。Guidance : Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). 将 Azure AD 与 Azure 服务总线配合使用的主要优势在于,不再需要将凭据存储在代码中。A key advantage of using Azure AD with Azure Service Bus is that you don't need to store your credentials in the code anymore. 可以改为从 Azure 标识平台请求 OAuth 2.0 访问令牌。Instead, you can request an OAuth 2.0 access token from the Azure Identity platform. 用于请求令牌的资源名称为 https://servicebus.chinacloudapi.cn/。The resource name to request a token is https://servicebus.chinacloudapi.cn/. Azure AD 对运行应用程序的安全主体(用户、组或服务主体)进行身份验证。Azure AD authenticates the security principal (a user, group, or service principal) running the application. 如果身份验证成功,Azure AD 会将访问令牌返回应用程序,应用程序可随之使用访问令牌对 Azure 服务总线资源请求进行授权。If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Azure Service Bus resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指导 :启用 Azure Active Directory 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理建议,以便保护启用了服务总线的资源。Guidance : Enable Azure Active Directory Multi-Factor Authentication (MFA) and follow Azure Security Center Identity and access management recommendations to help protect your Service Bus-enabled resources.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.6:使用由 Azure 管理的安全工作站执行管理任务3.6: Use secure, Azure-managed workstations for administrative tasks

指导 :使用配置了多重身份验证 (MFA) 的特权访问工作站 (PAW) 进行登录并配置启用了服务总线的资源。Guidance : Use privileged access workstations (PAW) with Multi-Factor Authentication (MFA) configured to log into and configure Service Bus-enabled resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导 :使用 Azure Active Directory 安全报告和监视来检测环境中何时发生可疑活动或不安全的活动。Guidance : Use Azure Active Directory security reports and monitoring to detect when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导 :使用 Azure AD 命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance : Use Azure AD named locations to allow access only from specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导 :使用 Azure Active Directory (AD) 作为 Azure 资源(例如服务总线)的中心身份验证和授权系统。Guidance : Use Azure Active Directory (AD) as the central authentication and authorization system for Azure resources such as Service Bus. 这样就可以对用于管理的敏感资源进行 Azure 基于角色的访问控制 (Azure RBAC)。This allows for Azure role-based access control (Azure RBAC) to administrative sensitive resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导 :Azure Active Directory (Azure AD) 提供了日志来帮助你发现过时的帐户。Guidance : Azure Active Directory (Azure AD) provides logs to help you discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

另外,还需定期轮换服务总线命名空间的共享访问签名。In additional, regularly rotate your Service Bus namespace's shared access signature.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导 :你可以访问 Azure Active Directory (Azure AD) 登录活动、审核和风险事件日志源,以便与 Azure Sentinel 或第三方 SIEM 工具集成。Guidance : You have access to Azure Active Directory (Azure AD) sign-in activity, audit and risk event log sources, which allow you to integrate with Azure Sentinel or a third-party SIEM tool.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 然后,在 Azure Monitor 中,你可以针对日志中发生的某些操作配置所需的日志警报。Then in Azure Monitor you can configure desired log alerts for certain actions that occur in the logs.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.13:在支持场合下为 Azure 提供对相关客户数据的访问权限3.13: Provide Azure with access to relevant customer data during support scenarios

指导 :目前不适用;服务总线尚不支持客户密码箱。Guidance : Currently not available; Customer Lockbox is not yet supported for Service Bus.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导 :对与服务总线相关的资源使用标记,以便跟踪那些存储或处理敏感信息的 Azure 资源。Guidance : Use tags on resources related to your Service Bus to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导 :为开发、测试和生产实施单独的订阅和管理组。Guidance : Implement separate subscriptions and management groups for development, test, and production. 服务总线命名空间应由配置了专用终结点的虚拟网络分隔并相应地进行标记。Service Bus namespaces should be separated by virtual networks with private endpoints configured and tagged appropriately.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导 :使用虚拟机访问服务总线实体时,请利用虚拟网络、专用终结点、服务总线防火墙、网络安全组和服务标记来降低数据外泄的可能性。Guidance : When using virtual machines to access your Service Bus entities, make use of virtual networks, private endpoints, Service Bus firewall, network security groups, and service tags to mitigate the possibility of data exfiltration.

Azure 管理 Azure 服务总线的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Azure manages the underlying infrastructure for Azure Service Bus and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :共享Responsibility : Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导 :默认情况下,Azure 服务总线强制实施 TLS 加密的通信。Guidance : Azure Service Bus enforces TLS-encrypted communications by default. 目前支持 TLS 版本 1.0、1.1 和 1.2。TLS versions 1.0, 1.1 and 1.2 are currently supported. 但是,TLS 1.0 和 TLS 1.1 即将在全行业范围内弃用,因此,请尽可能使用 TLS 1.2 或更高版本。However, TLS 1.0 and 1.1 are on a path to deprecation industry-wide, so use TLS 1.2 or newer where possible.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :共享Responsibility : Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导 :数据标识、分类和丢失防护功能尚不适用于 Azure 服务总线。Guidance : Data identification, classification, and loss prevention features are not yet available for Azure Service Bus. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :共享Responsibility : Shared

4.6:使用基于角色的访问控制来控制对资源的访问4.6: Use Role-based access control to control access to resources

指导 :Azure 服务总线支持使用 Azure Active Directory (Azure AD) 授予对服务总线实体的请求权限。Guidance : Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities. 可以通过 Azure AD 使用 Azure 基于角色的访问控制 (Azure RBAC) 向安全主体授予权限,该安全主体可能是用户,也可能是应用程序服务主体。With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导 :Azure 服务总线支持使用 Azure 管理的密钥或客户管理的密钥进行静态数据加密的选项。Guidance : Azure Service Bus supports the option of encrypting data at rest with either Azure-managed keys or customer-managed keys. 使用此功能可以创建、轮换、禁用用于加密 Azure 服务总线静态数据的客户管理的密钥,以及撤销对这些密钥的访问权限。This feature enables you to create, rotate, disable, and revoke access to the customer-managed keys that are used for encrypting Azure Service Bus data at rest.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导 :将 Azure Monitor 与 Azure 活动日志结合使用,以创建在 Azure 服务总线的生产实例和其他关键资源或相关资源发生更改时发出的警报。Guidance : Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure Service Bus and other critical or related resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导 :使用 Azure Resource Graph 查询和发现订阅中的所有资源(包括 Azure 服务总线命名空间)。Guidance : Use Azure Resource Graph to query and discover all resources (including Azure Service Bus namespaces) within your subscriptions. 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导 :将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance : Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导 :使用标记、管理组和单独的订阅(如果适用)来组织和跟踪 Azure 服务总线命名空间和相关的资源。Guidance : Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Service Bus namespaces and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指导 :根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance : Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导 :在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

另外,请使用 Azure Resource Graph 来查询和发现订阅中的资源。In addition, use Azure Resource Graph to query and discover resources within the subscriptions.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导 :在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

如果内置定义不满足组织的需求,则还可以构造自定义策略定义。You may also construct custom policy definitions if the built-in definitions do not fit your organization's needs.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导 :通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance : Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导 :定义和实施适用于 Azure 服务总线部署的标准安全配置。Guidance : Define and implement standard security configurations for your Azure Service Bus deployments. 还可以为 Azure 服务总线利用内置策略定义,例如:You may also make use of built-in policy definitions for Azure Service Bus such as:

  • 应启用服务总线中的诊断日志Diagnostic logs in Service Bus should be enabled
  • 服务总线应使用虚拟网络服务终结点来限制到专用网络的网络流量。Service Bus should use a virtual network service endpoint to limit network traffic to your private networks.

在“Microsoft.ServiceBus”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施配置。Use Azure Policy aliases in the "Microsoft.ServiceBus" namespace to create custom policies to audit or enforce configurations.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导 :使用 Azure Policy“[拒绝]”和“[不存在则部署]”对启用了服务总线的资源或应用程序强制实施安全设置。Guidance : Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Service Bus-enabled resources or applications.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导 :在“Microsoft.ServiceBus”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance : Use Azure Policy aliases in the "Microsoft.ServiceBus" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导 :在“Microsoft.ServiceBus”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance : Use Azure Policy aliases in the "Microsoft.ServiceBus" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”为 Azure 服务总线部署和相关的资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Service Bus deployments and related resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导 :对于在 Azure 应用服务上运行的用于访问服务总线实体的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 服务总线部署的共享访问签名管理。Guidance : For Azure virtual machines or web applications running on Azure App Service being used to access your Service Bus entities, use a Managed Service Identity in conjunction with Azure Key Vault to simplify and secure shared access signature management for your Azure Service Bus deployments. 请确保启用 Key Vault 软删除。Ensure Key Vault soft-delete is enabled.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导 :对于在 Azure 应用服务上运行的用于访问服务总线实体的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 服务总线。Guidance : For Azure virtual machines or web applications running on Azure App Service being used to access your Service Bus entities, use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure Azure Service Bus. 请确保启用 Key Vault 软删除。Ensure Key Vault soft-delete is enabled.

使用托管标识在 Azure Active Directory (Azure AD) 中为 Azure 服务提供一个自动托管的标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Azure Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Azure Key Vault, without any credentials in your code.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南 :实施凭据扫描程序来识别代码中的凭据。Guidance : Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

恶意软件防护Malware defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware defense.

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导 :预扫描要上传到非计算 Azure 资源的任何内容,例如 Azure 服务总线、应用服务、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Azure 无法访问你在这些实例中的数据。Guidance : Pre-scan any content being uploaded to non-compute Azure resources, such as Azure Service Bus, App Service, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Azure cannot access your data in these instances.

已在支持 Azure 服务的底层主机上启用 Azure 反恶意软件,但是该软件不针对客户内容运行。Azure anti-malware is enabled on the underlying host that supports Azure services, however it does not run on customer content.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :共享Responsibility : Shared

数据恢复Data recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back-ups

指导 :配置 Azure 服务总线的异地灾难恢复。Guidance : Configure geo-disaster recovery for Azure Service Bus. 当整个 Azure 区域或数据中心(如果未使用可用性区域)遭遇停机时,在不同区域或数据中心中继续进行数据处理就显得至关重要。When entire Azure regions or datacenters (if no availability zones are used) experience downtime, it is critical for data processing to continue to operate in a different region or datacenter. 在这种情况下,异地灾难恢复和异地复制对于任何企业而言都是至关重要的功能。As such, Geo-disaster recovery and Geo-replication are important features for any enterprise. Azure 服务总线支持命名空间级别的异地灾难恢复和异地复制。Azure Service Bus supports both geo-disaster recovery and geo-replication, at the namespace level.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导 :Azure 服务总线提供了通过 Azure 存储服务加密 (Azure SSE) 对静态数据进行加密的功能。Guidance : Azure Service Bus provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). 服务总线依赖于 Azure 存储来存储数据。默认情况下,通过 Azure 存储来存储的所有数据都是使用 Azure 管理的密钥进行加密的。Service Bus relies on Azure Storage to store the data and by default, all the data that is stored with Azure Storage is encrypted using Azure-managed keys. 如果使用 Azure Key Vault 存储客户管理的密钥,请确保定期对密钥进行自动备份。If you use Azure Key Vault for storing customer-managed keys, ensure regular automated backups of your Keys.

请确保通过以下 PowerShell 命令定期自动备份你的 Key Vault 机密:Backup-AzKeyVaultSecretEnsure regular automated backups of your Key Vault Secrets with the following PowerShell command: Backup-AzKeyVaultSecret

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导 :测试如何还原用来加密服务总线数据的已备份的客户管理的密钥。Guidance : Test restoration of backed up customer-managed keys use to encrypt Service Bus data.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导 :在 Key Vault 中启用“软删除”,以防止意外删除或恶意删除密钥。Guidance : Enable soft-delete in Key Vault to protect keys against accidental or malicious deletion. Azure 服务总线需要使用客户管理的密钥来配置“软删除”和“不清除”。Azure Service Bus requires customer-managed keys to have Soft Delete and Do Not Purge configured.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导 :为组织制定事件响应指南。Guidance : Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导 :Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Guidance : Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导 :定期执行演练来测试系统的事件响应功能。Guidance : Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导 :如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了你的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance : Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导 :使用连续导出功能导出 Azure 安全中心警报和建议,以便确定 Azure 资源的风险。Guidance : Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You can use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导Guidance :

使用 Azure 安全中心的工作流自动化功能,针对安全警报和建议自动触发响应,以保护 Azure 资源。Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导 :请遵循 Azure 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance : Follow the Azure Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :共享Responsibility : Shared

后续步骤Next steps