Azure 服务总线消息传递的 Azure Policy 法规遵从性控制Azure Policy Regulatory Compliance controls for Azure Service Bus Messaging

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控制措施”提供 Azure 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出了 Azure 服务总线消息传递的“合规性域”和“安全控制” 。This page lists the compliance domains and security controls for Azure Service Bus Messaging. 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准 v1Azure Security Benchmark v1

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 1.0.01.0.0
日志记录和监视Logging and Monitoring 2.32.3 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources 应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 3.0.03.0.0

HIPAA HITRUST 9.2HIPAA HITRUST 9.2

有关此合规性标准的详细信息,请参阅 HIPAA HITRUST 9.2For more information about this compliance standard, see HIPAA HITRUST 9.2. |Domain |控制 IDControl ID |控制标题Control title |策略Policy
(Azure 门户)(Azure portal) |策略版本Policy version
(GitHub)(GitHub) | |---|---|---|---|---| |网络隔离Segregation in Networks |0805.01m1Organizational.12 - 01.m0805.01m1Organizational.12 - 01.m |组织的安全网关(例如防火墙)强制执行安全策略,并配置为筛选域之间的流量、阻止未经授权的访问。它用于维护内部有线、内部无线和外部网络段(如 Internet,包括 DMZ)之间的隔离,并对每个域强制执行访问控制策略。The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. |服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint |1.0.01.0.0 | |网络隔离Segregation in Networks |0806.01m2Organizational.12356 - 01.m0806.01m2Organizational.12356 - 01.m |组织网络根据组织要求使用定义的安全外围和一组分级的控制以逻辑方式和物理方式进行分段,包括在逻辑上与内部网络分离的可公开访问的系统组件子网;流量控制基于所需的功能,而数据/系统的分类控制则基于风险评估及其各自的安全要求。The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint |1.0.01.0.0 | |网络隔离Segregation in Networks |0894.01m2Organizational.7 - 01.m0894.01m2Organizational.7 - 01.m |将物理服务器、应用程序或数据迁移到虚拟化服务器时,网络会与生产级网络分离。Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. |服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint |1.0.01.0.0 | |审核日志Audit Logging |1208.09aa3System.1 - 09.aa1208.09aa3System.1 - 09.aa |对于管理活动、系统和应用程序启动/关闭/错误、文件更改和安全策略更改,保留审核日志。Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. |应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled |3.0.03.0.0 | |网络控制Network Controls |0860.09m1Organizational.9 - 09.m0860.09m1Organizational.9 - 09.m |组织正式管理网络上的设备,包括用户区域中的设备。The organization formally manages equipment on the network, including equipment in user areas. |服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint |1.0.01.0.0 |

后续步骤Next steps