Ovaj preglednik više nije podržan.
Prijeđite na Microsoft Edge, gdje vas čekaju najnovije značajke, sigurnosna ažuriranja i tehnička podrška.
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Azure Stream Analytics. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Azure Stream Analytics.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Napomena
Features not applicable to Azure Stream Analytics have been excluded. To see how Azure Stream Analytics completely maps to the Microsoft cloud security benchmark, see the full Azure Stream Analytics security baseline mapping file.
The security profile summarizes high-impact behaviors of Azure Stream Analytics, which may result in increased security considerations.
| Service Behavior Attribute | Value |
|---|---|
| Product Category | Analytics, IoT |
| Customer can access HOST / OS | No Access |
| Service can be deployed into customer's virtual network | False |
| Stores customer content at rest | False |
For more information, see the Microsoft cloud security benchmark: Network security.
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service network traffic respects Network Security Groups rule assignment on its subnets. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Azure Stream Analytics support Private Link in the Premium SKU.
Configuration Guidance: Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources.
Reference: Create and delete managed private endpoints in an Azure Stream Analytics cluster
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
For more information, see the Microsoft cloud security benchmark: Identity management.
Description: Service supports using Azure AD authentication for data plane access. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Use Azure Active Directory (Azure AD) as the default authentication method to control your data plane access.
Reference: Rotate login credentials for inputs and outputs of a Stream Analytics Job
Description: Data plane actions support authentication using managed identities. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Use Azure managed identities instead of service principals when possible, which can authenticate to Azure services and resources that support Azure Active Directory (Azure AD) authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files.
Reference: Managed identities for Azure Stream Analytics
Description: Data plane supports authentication using service principals. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Additional Guidance: For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication.
Description: Data plane supports native use of Azure Key Vault for credential and secrets store. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
For more information, see the Microsoft cloud security benchmark: Privileged access.
Description: Customer Lockbox can be used for Microsoft support access. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
For more information, see the Microsoft cloud security benchmark: Data protection.
Description: Tools (such as Azure Purview or Azure Information Protection) can be used for data discovery and classification in the service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports DLP solution to monitor sensitive data movement (in customer's content). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Feature notes: Azure Stream Analytics does not support Data Leak/Loss Prevention, however there are built-in policies that may be leveraged to prevent unauthorized data access.
For more information, please visit: Azure Policy built-in definitions for Azure Stream Analytics.
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports data in-transit encryption for data plane. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Welcome to Azure Stream Analytics
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Data protection in Azure Stream Analytics
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: If required for regulatory compliance, define the use case and service scope where encryption using customer-managed keys are needed. Enable and implement data at rest encryption using customer-managed key for those services.
Reference: Data protection in Azure Stream Analytics
Description: The service supports Azure Key Vault integration for any customer keys, secrets, or certificates. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Feature notes: Azure Stream Analytics does not integrate directly with Azure Key Vault. Azure Key Vault can be leveraged indirectly if the customer wants to use customer-managed keys to encrypt private data assets required by the Stream Analytics runtime through the use of a storage account.
Configuration Guidance: This feature is not supported to secure this service.
Description: The service supports Azure Key Vault integration for any customer certificates. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
For more information, see the Microsoft cloud security benchmark: Asset management.
Description: Service configurations can be monitored and enforced via Azure Policy. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exists] effects to enforce secure configuration across Azure resources.
Reference: Azure Policy built-in definitions for Azure Stream Analytics
For more information, see the Microsoft cloud security benchmark: Logging and threat detection.
Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Enable resource logs for the service. For example, Key Vault supports additional resource logs for actions that get a secret from a key vault or and Azure SQL has resource logs that track requests to a database. The content of resource logs varies by the Azure service and resource type.
Reference: Troubleshoot Azure Stream Analytics by using resource logs
For more information, see the Microsoft cloud security benchmark: Backup and recovery.
Description: The service can be backed up by the Azure Backup service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports its own native backup capability (if not using Azure Backup). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: There is no current Microsoft guidance for this feature configuration. Please review and determine if your organization wants to configure this security feature.
Reference: Copy, back up and move your Azure Stream Analytics jobs between regions
Obuka
Modul
Monitor workload protection in Azure Backup - Training
Learn how to monitor Azure Backup-protected workloads by using Azure Monitor.
Certifikacija
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.
Dokumentacija
Built-in policy definitions for Azure Stream Analytics - Azure Stream Analytics
Lists Azure Policy built-in policy definitions for Azure Stream Analytics. These built-in policy definitions provide common approaches to managing your Azure resources.
Azure security baseline for Microsoft Azure Managed Instance for Apache Cassandra
The Microsoft Azure Managed Instance for Apache Cassandra security baseline provides procedural guidance and resources for implementing the security recommendations specified in the Microsoft cloud security benchmark.
Rotate login credentials in Azure Stream Analytics jobs - Azure Stream Analytics
This article describes how to update the credentials of inputs and output sinks in Azure Stream Analytics jobs.