Azure 存储的安全控制Security controls for Azure Storage

本文介绍 Azure 存储中内置的安全控制。This article documents the security controls built into Azure Storage.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes
服务器端静态加密:Microsoft 管理的密钥Server-side encryption at rest: Microsoft-managed keys Yes
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) Yes 请参阅在 Azure Key Vault 中使用客户托管密钥进行存储服务加密See Storage Service Encryption using customer-managed keys in Azure Key Vault.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 空值N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes 支持标准的 HTTPS/TLS 机制。Support standard HTTPS/TLS mechanisms. 用户也可以先加密数据,然后再将其传输到服务。Users can also encrypt data before it is transmitted to the service.
加密的 API 调用API calls encrypted Yes

网络Network

安全控制Security control Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support Yes
服务标记支持Service tags support Yes 有关 Azure 存储支持的服务标记的详细信息,请参阅 Azure 服务标记概述See Azure service tags overview for more information about service tags supported by Azure Storage.
VNet 注入支持VNet injection support 空值N/A
网络隔离和防火墙支持Network isolation and firewall support Yes
强制隧道支持Forced tunneling support 空值N/A

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes Azure Monitor 指标Azure Monitor Metrics
控制和管理平面日志记录和审核Control and management plane logging and audit Yes Azure 活动日志Azure Activity Log
数据平面日志记录和审核Data plane logging and audit Yes Azure Monitor 资源日志Azure Monitor Resource Logs

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes
身份验证Authentication Yes Azure Active Directory、共享密钥、共享访问令牌。Azure Active Directory, Shared key, Shared access token.
授权Authorization Yes 支持通过 RBAC、POSIX ACL 和 SAS 令牌进行授权Support Authorization via RBAC, POSIX ACLs, and SAS Tokens

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 支持通过 Azure 资源管理器 API 进行资源提供程序版本控制Support Resource Provider versioning through Azure Resource Manager APIs

后续步骤Next steps