适用于 Blob 存储的安全建议Security recommendations for Blob storage

本文包含适用于 Blob 存储的安全建议。This article contains security recommendations for Blob storage. 实施执行建议将有助于你履行我们的共享职责模型中描述的安全职责。Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model. 若要详细了解 Microsoft 采取哪些措施来履行服务提供商责任,请阅读云计算的责任分担For more information on what Microsoft does to fulfill service provider responsibilities, read Shared responsibilities for cloud computing.

Azure 安全中心可以自动监视本文所述的某些建议。Some of the recommendations included in this article can be automatically monitored by Azure Security Center. 在保护你在 Azure 中的资源方面,Azure 安全中心是第一道防线。Azure Security Center is the first line of defense in protecting your resources in Azure. 有关 Azure 安全中心的信息,请参阅什么是 Azure 安全中心?For information on Azure Security Center, see the What is Azure Security Center?.

Azure 安全中心会定期分析 Azure 资源的安全状态,以识别潜在的安全漏洞。Azure Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. 然后向你提供有关如何解决这些安全漏洞的建议。It then provides you with recommendations on how to address them. 有关 Azure 安全中心建议的详细信息,请参阅 Azure 安全中心的安全性建议For more information on Azure Security Center recommendations, see Security recommendations in Azure Security Center.

数据保护Data protection

建议Recommendation 注释Comments 安全中心Security Center
使用 Azure 资源管理器部署模型Use the Azure Resource Manager deployment model 使用 Azure 资源管理器部署模型创建新的存储帐户,以进行重要的安全增强,包括高级访问控制 (RBAC) 和审核、基于资源管理器的部署和治理、托管标识访问权限、用于提供机密的 Key Vault 的访问权限、用于访问 Azure 存储数据和资源的基于 Azure AD 的身份验证和授权。Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior access control (RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Azure AD-based authentication and authorization for access to Azure Storage data and resources. 如果可能,请迁移使用经典部署模型的现有存储帐户以使用 Azure 资源管理器。If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. 有关 Azure 资源管理器的详细信息,请参阅 Azure 资源管理器概述For more information about Azure Resource Manager, see Azure Resource Manager overview. -
在所有存储帐户中启用“需要安全传输”选项Enable the Secure transfer required option on all of your storage accounts 启用“需要安全传输”选项时,对存储帐户发出的所有请求都必须通过安全连接进行。When you enable the Secure transfer required option, all requests made against the storage account must take place over secure connections. 通过 HTTP 发出的任何请求都将失败。Any requests made over HTTP will fail. 有关详细信息,请参阅在 Azure 存储中要求安全传输For more information, see Require secure transfer in Azure Storage. Yes
启用适用于 Blob 数据的软删除Turn on soft delete for blob data 软删除允许在删除 Blob 数据后将其恢复。Soft delete enables you to recover blob data after it has been deleted. 有关软删除的详细信息,请参阅Azure 存储 Blob 的软删除For more information on soft delete, see Soft delete for Azure Storage blobs. -
在不可变 Blob 中存储业务关键数据Store business-critical data in immutable blobs 配置法定保留和基于时间的保留策略,以 WORM(一次写入,多次读取)状态存储 Blob 数据。Configure legal holds and time-based retention policies to store blob data in a WORM (Write Once, Read Many) state. 在保留时间间隔期间内,可以读取即时存储的 Blob,但不能对其进行修改或删除。Blobs stored immutably can be read, but cannot be modified or deleted for the duration of the retention interval. 有关详细信息,请参阅使用不可变的存储来存储业务关键型 Blob 数据For more information, see Store business-critical blob data with immutable storage. -
将共享访问签名 (SAS) 令牌限制为仅用于 HTTPS 连接Limit shared access signature (SAS) tokens to HTTPS connections only 当客户端使用 SAS 令牌访问 Blob 数据时要求使用 HTTPS 有助于最大程度地降低被窃听的风险。Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of eavesdropping. 有关详细信息,请参阅使用共享访问签名 (SAS) 授予对 Azure 存储资源的有限访问权限For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). -

标识和访问管理Identity and access management

建议Recommendation 注释Comments 安全中心Security Center
使用 Azure Active Directory (Azure AD) 授权对 Blob 数据的访问Use Azure Active Directory (Azure AD) to authorize access to blob data 与用于授权对 Blob 存储的请求的共享密钥相比,Azure AD 提供了卓越的安全性和易用性。Azure AD provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. 有关详细信息,请参阅使用 Azure Active Directory 授予对 Azure Blob 和队列的访问权限For more information, see Authorize access to Azure blobs and queues using Azure Active Directory. -
通过 RBAC 向 Azure AD 安全主体分配权限时,请记住最低权限原则Keep in mind the principal of least privilege when assigning permissions to an Azure AD security principal via RBAC 将角色分配给用户、组或应用程序时,只向该安全主体授予执行任务所需的权限。When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. 限制对资源的访问有助于防止意外和恶意滥用数据。Limiting access to resources helps prevent both unintentional and malicious misuse of your data. -
使用用户委托 SAS 授予客户端对 Blob 数据的有限访问权限Use a user delegation SAS to grant limited access to blob data to clients 用户委托 SAS 使用 Azure Active Directory (Azure AD) 凭据以及为 SAS 指定的权限进行保护。A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. 用户委托 SAS 在其作用域和功能方面类似于服务 SAS,但相对于服务 SAS 具有安全优势。A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. 有关详细信息,请参阅使用共享访问签名 (SAS) 授予对 Azure 存储资源的有限访问权限For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). -
使用 Azure Key Vault 保护帐户访问密钥Secure your account access keys with Azure Key Vault Microsoft 建议使用 Azure AD 对 Azure 存储的请求进行授权。Microsoft recommends using Azure AD to authorize requests to Azure Storage. 但是,如果必须使用共享密钥授权,请使用 Azure Key Vault 保护帐户密钥。However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. 可以在运行时从密钥保管库检索密钥,而不是将其与应用程序一起保存。You can retrieve the keys from the key vault at runtime, instead of saving them with your application. 有关 Azure Key Vault 的详细信息,请参阅 Azure Key Vault 概述For more information about Azure Key Vault, see Azure Key Vault overview. -
定期重新生成帐户密钥Regenerate your account keys periodically 定期轮换帐户密钥可以降低向恶意参与者公开数据的风险。Rotating the account keys periodically reduces the risk of exposing your data to malicious actors. -
向 SAS 分配权限时,请记住最低权限原则Keep in mind the principal of least privilege when assigning permissions to a SAS 创建 SAS 时,请仅指定客户端执行其功能所需的权限。When creating a SAS, specify only those permissions that are required by the client to perform its function. 限制对资源的访问有助于防止意外和恶意滥用数据。Limiting access to resources helps prevent both unintentional and malicious misuse of your data. -
为发布给客户端的任何 SAS 制定吊销计划Have a revocation plan in place for any SAS that you issue to clients 如果 SAS 遭到泄露,需要尽快撤销该 SAS。If a SAS is compromised, you will want to revoke that SAS as soon as possible. 要撤销用户委托 SAS,请撤销用户委托密钥,以使与该密钥关联的所有签名快速失效。To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. 要撤销与存储的访问策略关联的服务 SAS,可以删除存储的访问策略,重命名策略或将其到期时间更改为过去的时间。To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past. 有关详细信息,请参阅使用共享访问签名 (SAS) 授予对 Azure 存储资源的有限访问权限For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). -
如果服务 SAS 与存储的访问策略没有关联,请将到期时间设置为一小时或更短If a service SAS is not associated with a stored access policy, then set the expiry time to one hour or less 无法撤销与存储的访问策略没有关联的服务 SAS。A service SAS that is not associated with a stored access policy cannot be revoked. 因此,建议限制到期时间,以使 SAS 的有效时间不超过一小时。For this reason, limiting the expiry time so that the SAS is valid for one hour or less is recommended. -
限制对容器和 Blob 的匿名公共读取访问Limit anonymous public read access to containers and blobs 对容器及其 Blob 的匿名公共读取访问权限向任何客户端授予对这些资源的只读访问权限。Anonymous, public read access to a container and its blobs grants read-only access to those resources to any client. 除非方案需要,否则请避免启用公共读取访问权限。Avoid enabling public read access unless your scenario requires it. -


建议Recommendation 注释Comments 安全中心Security Center
启用防火墙规则Enable firewall rules 配置防火墙规则以将存储帐户的访问权限限制于源自指定的 IP 地址或范围,或源自 Azure 虚拟网络 (VNet) 中一系列子网的请求。Configure firewall rules to limit access to your storage account to requests that originate from specified IP addresses or ranges, or from a list of subnets in an Azure Virtual Network (VNet). -
允许受信任的 Microsoft 服务访问此存储帐户Allow trusted Microsoft services to access the storage account 默认情况下,除非请求源自在 Azure 虚拟网络 (VNet) 中运行的服务或者源自允许的公共 IP 地址,否则启用存储帐户的防火墙规则会阻止数据传入请求。Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. 被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. 可以通过添加例外,允许受信任的 Microsoft 服务访问此存储帐户,从而允许来自其他 Azure 服务的请求。You can permit requests from other Azure services by adding an exception to allow trusted Microsoft services to access the storage account. -
使用 VNet 服务标记Use VNet service tags 服务标记代表给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. 有关 Azure 存储支持的服务标记的详细信息,请参阅 Azure 服务标记概述For more information about service tags supported by Azure Storage, see Azure service tags overview. 有关演示如何使用服务标记创建出站网络规则的教程,请参阅限制对 PaaS 资源的访问For a tutorial that shows how to use service tags to create outbound network rules, see Restrict access to PaaS resources. -
限制对特定网络的网络访问Limit network access to specific networks 将网络访问限制为托管需要访问的客户端的网络可减少你的资源受到网络攻击的风险。Limiting network access to networks hosting clients requiring access reduces the exposure of your resources to network attacks. Yes


建议Recommendation 注释Comments 安全中心Security Center
跟踪请求的授权方式Track how requests are authorized 启用 Azure 存储日志记录以跟踪对 Azure 存储发出的每个请求的授权方式。Enable Azure Storage logging to track how each request made against Azure Storage was authorized. 日志可指示请求是匿名提出的,还是使用 OAuth 2.0 令牌、共享密钥或共享访问签名 (SAS) 提出的。The logs indicate whether a request was made anonymously, by using an OAuth 2.0 token, by using Shared Key, or by using a shared access signature (SAS). 有关详细信息,请参阅 Azure 存储分析日志记录For more information, see Azure Storage analytics logging. -

后续步骤Next steps