category
此安全基线将Microsoft云安全基准1.0版的指导应用于Azure Bastion。Microsoft云安全基准提供了如何在Azure上保护云解决方案的建议。内容按Microsoft云安全基准定义的安全控制和适用于Azure Bastion的相关指导进行分组。
您可以使用Microsoft Defender for Cloud监视此安全基线及其建议。Azure策略定义将列在Microsoft Defender for Cloud门户页面的法规遵从性部分。
当一个功能具有相关的Azure策略定义时,它们会在此基线中列出,以帮助您衡量对Microsoft云安全基准控制和建议的合规性。某些建议可能需要付费的Microsoft Defender计划来启用某些安全场景。
Note
Features not applicable to Azure Bastion have been excluded. To see how Azure Bastion completely maps to the Microsoft cloud security benchmark, see the full Azure Bastion security baseline mapping file.
Security profile
The security profile summarizes high-impact behaviors of Azure Bastion, which may result in increased security considerations.
Service Behavior Attribute | Value |
---|---|
Product Category | Security |
Customer can access HOST / OS | No Access |
Service can be deployed into customer's virtual network | True |
Stores customer content at rest | True |
Network security
For more information, see the Microsoft cloud security benchmark: Network security.
NS-1: Establish network segmentation boundaries
Features
Virtual Network Integration
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: Deploy the Azure Bastion into a virtual network with the subnet at least /26 or larger.
Reference: Tutorial: Deploy Bastion
Network Security Group Support
Description: Service network traffic respects Network Security Groups rule assignment on its subnets. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: Use network security groups (NSG) to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Create NSG rules to restrict your service's open ports (such as preventing management ports from being accessed from untrusted networks).
Reference: Working with NSG access and Azure Bastion
Microsoft Defender for Cloud monitoring
Azure Policy built-in definitions - Microsoft.Network:
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
NS-2: Secure cloud services with network controls
Features
Azure Private Link
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Disable Public Network Access
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Identity management
For more information, see the Microsoft cloud security benchmark: Identity management.
IM-1: Use centralized identity and authentication system
Features
Azure AD Authentication Required for Data Plane Access
Description: Service supports using Azure AD authentication for data plane access. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Local Authentication Methods for Data Plane Access
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
IM-3: Manage application identities securely and automatically
Features
Managed Identities
Description: Data plane actions support authentication using managed identities. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
IM-8: Restrict the exposure of credential and secrets
Features
Service Credential and Secrets Support Integration and Storage in Azure Key Vault
Description: Data plane supports native use of Azure Key Vault for credential and secrets store. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: You can store your SSH keys as Azure Key Vault secrets and use these secrets to connect to your virtual machines using Azure Bastion. You can control user access to these secrets by assigning Key Vault access policies either on individual users or Azure AD groups.
Privileged access
For more information, see the Microsoft cloud security benchmark: Privileged access.
PA-1: Separate and limit highly privileged/administrative users
Features
Local Admin Accounts
Description: Service has the concept of a local administrative account. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
PA-7: Follow just enough administration (least privilege) principle
Features
Azure RBAC for Data Plane
Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed access to service's data plane actions. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Feature notes: Azure Bastion itself does not support Azure RBAC for users access.
However, when connecting to virtual machines using Azure Bastion your user will need the following role assignments:
- Reader role on the target virtual machine
- Reader role on the NIC with the private IP of the target virtual machine
- Reader role on the Azure Bastion resource
Configuration Guidance: This feature is not supported to secure this service.
PA-8: Determine access process for cloud provider support
Features
Customer Lockbox
Description: Customer Lockbox can be used for Microsoft support access. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Data protection
For more information, see the Microsoft cloud security benchmark: Data protection.
DP-3: Encrypt sensitive data in transit
Features
Data in Transit Encryption
Description: Service supports data in-transit encryption for data plane. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
DP-4: Enable data at rest encryption by default
Features
Data at Rest Encryption Using Platform Keys
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
DP-6: Use a secure key management process
Features
Key Management in Azure Key Vault
Description: The service supports Azure Key Vault integration for any customer keys, secrets, or certificates. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: You can store and manage your SSH keys in Azure Key Vault secrets and use these secrets to connect to your virtual machines using Azure Bastion.
Reference: Connect: Using a private key stored in Azure Key Vault
Asset management
For more information, see the Microsoft cloud security benchmark: Asset management.
AM-2: Use only approved services
Features
Azure Policy Support
Description: Service configurations can be monitored and enforced via Azure Policy. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exists] effects to enforce secure configuration across Azure resources.
Logging and threat detection
For more information, see the Microsoft cloud security benchmark: Logging and threat detection.
LT-4: Enable logging for security investigation
Features
Azure Resource Logs
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | False | Customer |
Configuration Guidance: Enable resource logs for the Azure Bastion. As users connect to workloads using Azure Bastion, Bastion can log diagnostics of the remote sessions. You can then use the diagnostics to view which users connected to which workloads, at what time, from where, and other such relevant logging information.
Reference: Azure Bastion Resource Logs
Backup and recovery
For more information, see the Microsoft cloud security benchmark: Backup and recovery.
BR-1: Ensure regular automated backups
Features
Azure Backup
Description: The service can be backed up by the Azure Backup service. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Service Native Backup Capability
Description: Service supports its own native backup capability (if not using Azure Backup). Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Next steps
- See the Microsoft cloud security benchmark overview
- Learn more about Azure security baselines
- 登录 发表评论
- 5 次浏览
Tags
最新内容
- 15 hours 10 minutes ago
- 15 hours ago
- 16 hours 52 minutes ago
- 1 day 10 hours ago
- 1 day 11 hours ago
- 1 day 11 hours ago
- 1 day 12 hours ago
- 1 day 12 hours ago
- 1 day 12 hours ago
- 1 day 13 hours ago