Azure 監視器中的角色、權限與安全性Roles, permissions, and security in Azure Monitor

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

許多團隊需要嚴格規範對監視資料及設定的存取。Many teams need to strictly regulate access to monitoring data and settings. 例如,如果您擁有專門從事監視 (技術支援工程師、DevOps 工程師) 的小組成員,或如果使用受控服務提供者,則可能只要授與其監視資料的存取權,並同時限制其建立、修改或刪除資源的能力。For example, if you have team members who work exclusively on monitoring (support engineers, DevOps engineers) or if you use a managed service provider, you may want to grant them access to only monitoring data while restricting their ability to create, modify, or delete resources. 本文說明如何在 Azure 中快速將內建的監視 Azure 角色套用至使用者,或針對需要有限監視許可權的使用者建立您自己的自訂角色。This article shows how to quickly apply a built-in monitoring Azure role to a user in Azure or build your own custom role for a user who needs limited monitoring permissions. 接著會討論 Azure 監視器相關資源的安全性考量,以及如何限制對這些資源所包含的資料進行存取。It then discusses security considerations for your Azure Monitor-related resources and how you can limit access to the data they contain.

內建的監視角色Built-in monitoring roles

Azure 監視器的內建角色是專為協助限制存取訂用帳戶中的資源所設計,同時仍可讓負責監視基礎結構的人員取得及設定他們所需的資料。Azure Monitor’s built-in roles are designed to help limit access to resources in a subscription while still enabling those responsible for monitoring infrastructure to obtain and configure the data they need. Azure 監視器提供兩個的立即可用的角色:監視讀取器和監視參與者。Azure Monitor provides two out-of-the-box roles: A Monitoring Reader and a Monitoring Contributor.

監視讀取器Monitoring Reader

受指派監視讀取器角色的人員可以檢視訂用帳戶中所有的監視資料,但無法修改任何資源或編輯與監視資源相關的任何設定。People assigned the Monitoring Reader role can view all monitoring data in a subscription but cannot modify any resource or edit any settings related to monitoring resources. 這個角色適用於組織中的使用者,例如支援或作業工程師,這些人員必須能夠︰This role is appropriate for users in an organization, such as support or operations engineers, who need to be able to:

  • 在入口網站中檢視監視儀表板,並建立自己的私人監視儀表板。View monitoring dashboards in the portal and create their own private monitoring dashboards.
  • 檢視 Azure 警示中定義的警示規則View alert rules defined in Azure Alerts
  • 使用 Azure 監視器 REST APIPowerShell cmdlets跨平台 CLI 查詢度量。Query for metrics using the Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 使用入口網站、Azure 監視器 REST API、PowerShell Cmdlets 或跨平台 CLI 查詢活動記錄檔。Query the Activity Log using the portal, Azure Monitor REST API, PowerShell cmdlets, or cross-platform CLI.
  • 檢視用於資源的 診斷設定View the diagnostic settings for a resource.
  • 檢視用於訂用帳戶的 記錄檔設定檔View the log profile for a subscription.
  • 檢視自動調整設定。View autoscale settings.
  • 檢視警示活動和設定。View alert activity and settings.
  • 存取 Application Insights 資料,並檢視 AI 分析中的資料。Access Application Insights data and view data in AI Analytics.
  • 搜尋 Log Analytics 工作區資料,包括工作區的使用狀況資料。Search Log Analytics workspace data including usage data for the workspace.
  • 檢視 Log Analytics 管理群組。View Log Analytics management groups.
  • 擷取 Log Analytics 工作區中的搜尋結構描述。Retrieve the search schema in Log Analytics workspace.
  • 列出 Log Analytics 工作區中的監視套件。List monitoring packs in Log Analytics workspace.
  • 擷取並執行 Log Analytics 工作區中已儲存的搜尋。Retrieve and execute saved searches in Log Analytics workspace.
  • 擷取 Log Analytics 工作區儲存體設定。Retrieve the Log Analytics workspace storage configuration.

注意

此角色不會對已串流至事件中樞或儲存在儲存體帳戶中的記錄檔資料授予讀取權限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 請參閱下方 以取得設定存取這些資源的相關資訊。See below for information on configuring access to these resources.

監視參與者Monitoring Contributor

受指派監視參與者角色的人員可以檢視訂用帳戶中所有的監視資料,並建立或修改監視設定,但無法修改任何其他資源。People assigned the Monitoring Contributor role can view all monitoring data in a subscription and create or modify monitoring settings, but cannot modify any other resources. 此角色是監視讀取者角色的超集,且適用於組織的監視團隊成員或受控服務提供者,這些服務提供者除了上述的權限之外,也必須能夠︰This role is a superset of the Monitoring Reader role, and is appropriate for members of an organization’s monitoring team or managed service providers who, in addition to the permissions above, also need to be able to:

  • 將監視儀表板發佈為共用儀表板。Publish monitoring dashboards as a shared dashboard.
  • 設定用於資源的診斷設定。*Set diagnostic settings for a resource.*
  • 設定用於訂用帳戶的記錄檔設定檔。*Set the log profile for a subscription.*
  • 透過 Azure 警示設定警示規則活動和設定。Set alert rules activity and settings via Azure Alerts.
  • 建立 Application Insights web 測試和元件。Create Application Insights web tests and components.
  • 列出 Log Analytics 工作區共用金鑰。List Log Analytics workspace shared keys.
  • 啟用或停用 Log Analytics 工作區中的監視套件。Enable or disable monitoring packs in Log Analytics workspace.
  • 建立及刪除 Log Analytics 工作區中已儲存的搜尋。Create and delete and execute saved searches in Log Analytics workspace.
  • 建立及刪除 Log Analytics 工作區儲存體設定。Create and delete the Log Analytics workspace storage configuration.

*使用者也必須在目標資源上個別授與 ListKeys 權限 (儲存體帳戶或事件中樞命名空間),以設定記錄檔設定檔或診斷設定。*user must also separately be granted ListKeys permission on the target resource (storage account or event hub namespace) to set a log profile or diagnostic setting.

注意

此角色不會對已串流至事件中樞或儲存在儲存體帳戶中的記錄檔資料授予讀取權限。This role does not give read access to log data that has been streamed to an event hub or stored in a storage account. 請參閱下方 以取得設定存取這些資源的相關資訊。See below for information on configuring access to these resources.

監視許可權和 Azure 自訂角色Monitoring permissions and Azure custom roles

如果上述的內建角色不符合小組的確切需求,您可以建立具有更細微許可權的Azure 自訂角色If the above built-in roles don’t meet the exact needs of your team, you can create an Azure custom role with more granular permissions. 以下是一般 Azure 監視器 RBAC 作業及其說明。Below are the common Azure Monitor RBAC operations with their descriptions.

作業Operation 描述Description
Microsoft.Insights/ActionGroups/[Read, Write, Delete]Microsoft.Insights/ActionGroups/[Read, Write, Delete] 讀取/寫入/刪除動作群組。Read/write/delete action groups.
Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete]Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete] 讀取/寫入/刪除活動記錄警示。Read/write/delete activity log alerts.
Microsoft.Insights/AlertRules/[讀取、寫入、刪除]Microsoft.Insights/AlertRules/[Read, Write, Delete] (從傳統警示) 讀取/寫入/刪除警示規則。Read/write/delete alert rules (from alerts classic).
Microsoft.Insights/AlertRules/Incidents/ReadMicrosoft.Insights/AlertRules/Incidents/Read 列出警示規則的事件 (觸發的警示規則歷程記錄)。List incidents (history of the alert rule being triggered) for alert rules. 這僅適用於入口網站。This only applies to the portal.
Microsoft.Insights/AutoscaleSettings/[讀取、寫入、刪除]Microsoft.Insights/AutoscaleSettings/[Read, Write, Delete] 讀取/寫入/刪除自動調整設定。Read/write/delete autoscale settings.
Microsoft.Insights/DiagnosticSettings/[讀取、寫入、刪除]Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete] 讀取/寫入/刪除診斷設定。Read/write/delete diagnostic settings.
Microsoft.Insights/EventCategories/ReadMicrosoft.Insights/EventCategories/Read 列舉「活動記錄」中所有可能的類別。Enumerate all categories possible in the Activity Log. 「Azure 入口網站」所使用。Used by the Azure portal.
Microsoft.Insights/eventtypes/digestevents/ReadMicrosoft.Insights/eventtypes/digestevents/Read 此為使用者需要透過入口網站存取活動記錄時所需的權限。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/eventtypes/values/ReadMicrosoft.Insights/eventtypes/values/Read 列出訂用帳戶中的活動記錄檔事件 (管理事件)。List Activity Log events (management events) in a subscription. 此權限適用於以程式設計方式存取和入口網站存取活動記錄檔。This permission is applicable to both programmatic and portal access to the Activity Log.
Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete]Microsoft.Insights/ExtendedDiagnosticSettings/[Read, Write, Delete] 讀取/寫入/刪除網路流量記錄的診斷設定。Read/write/delete diagnostic settings for network flow logs.
Microsoft.Insights/LogDefinitions/ReadMicrosoft.Insights/LogDefinitions/Read 此為使用者需要透過入口網站存取活動記錄時所需的權限。This permission is necessary for users who need access to Activity Logs via the portal.
Microsoft.Insights/LogProfiles/[Read, Write, Delete]Microsoft.Insights/LogProfiles/[Read, Write, Delete] 讀取/寫入/刪除記錄設定檔 (將「活動記錄」串流至事件中樞或儲存體帳戶)。Read/write/delete log profiles (streaming Activity Log to event hub or storage account).
Microsoft.Insights/MetricAlerts/[Read, Write, Delete]Microsoft.Insights/MetricAlerts/[Read, Write, Delete] 讀取/寫入/刪除近乎即時的計量警示Read/write/delete near real-time metric alerts
Microsoft.Insights/MetricDefinitions/ReadMicrosoft.Insights/MetricDefinitions/Read 讀取度量定義 (可用資源的度量類型清單)。Read metric definitions (list of available metric types for a resource).
Microsoft.Insights/Metrics/ReadMicrosoft.Insights/Metrics/Read 讀取資源的度量。Read metrics for a resource.
Microsoft.Insights/Register/ActionMicrosoft.Insights/Register/Action 註冊「Azure 監視器」資源提供者。Register the Azure Monitor resource provider.
Microsoft.Insights/ScheduledQueryRules/[讀取、寫入、刪除]Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] 讀取/寫入/刪除 Azure 監視器中的記錄警示。Read/write/delete log alerts in Azure Monitor.

注意

存取警示、診斷設定和資源的度量需要使用者具有資源類型和該資源範圍的讀取權限。Access to alerts, diagnostic settings, and metrics for a resource requires that the user has Read access to the resource type and scope of that resource. 建立 (「寫入」) 封存至儲存體帳戶或串流至事件中樞的診斷設定或記錄檔設定檔的使用者也需要在目標資源上擁有 ListKeys 權限。Creating (“write”) a diagnostic setting or log profile that archives to a storage account or streams to event hubs requires the user to also have ListKeys permission on the target resource.

例如,您可以使用上表來建立「活動記錄讀取器」的 Azure 自訂角色,如下所示:For example, using the above table you could create an Azure custom role for an “Activity Log Reader” like this:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Activity Log Reader"
$role.Description = "Can view activity logs."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Insights/eventtypes/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription")
New-AzRoleDefinition -Role $role 

監視資料的安全性考量Security considerations for monitoring data

監視資料 (尤其是記錄檔),可以包含機密資訊,例如 IP 位址或使用者名稱。Monitoring data—particularly log files—can contain sensitive information, such as IP addresses or user names. 來自 Azure 的監視資料有三種基本形式︰Monitoring data from Azure comes in three basic forms:

  1. 活動記錄檔,會描述您 Azure 訂用帳戶上所有的控制層面動作。The Activity Log, which describes all control-plane actions on your Azure subscription.
  2. 資源記錄,即由資源所發出的記錄。resource logs, which are logs emitted by a resource.
  3. 度量,是由資源發出。Metrics, which are emitted by resources.

這三種資料類型都可以儲存在儲存體帳戶或串流到事件中樞,兩者都是一般用途的 Azure 資源。All three of these data types can be stored in a storage account or streamed to Event Hub, both of which are general-purpose Azure resources. 由於這些是一般用途的資源,因此對其進行建立、刪除及存取是保留給系統管理員的特殊權限作業。Because these are general-purpose resources, creating, deleting, and accessing them is a privileged operation reserved for an administrator. 我們建議您對監視相關的資源使用下列作法以防止誤用︰We suggest that you use the following practices for monitoring-related resources to prevent misuse:

  • 針對監視資料使用單一、專用的儲存體帳戶。Use a single, dedicated storage account for monitoring data. 如果您需要將監視資料分成多個儲存體帳戶,切勿在監視及非監視資料之間分享儲存體帳戶的使用情況,因為這可能會不小心讓只需要存取監視資料 (例如,第三方 SIEM) 的人員存取非監視資料。If you need to separate monitoring data into multiple storage accounts, never share usage of a storage account between monitoring and non-monitoring data, as this may inadvertently give those who only need access to monitoring data (for example, a third-party SIEM) access to non-monitoring data.
  • 以上述相同的原因在所有的診斷設定中使用單一、專用的服務匯流排或事件中樞命名空間。Use a single, dedicated Service Bus or Event Hub namespace across all diagnostic settings for the same reason as above.
  • 將存取監視相關的儲存體帳戶或事件中樞保存在不同的資源群組中,以限制存取它們,並在監視角色上 使用範圍 來限制只能存取該資源群組。Limit access to monitoring-related storage accounts or event hubs by keeping them in a separate resource group, and use scope on your monitoring roles to limit access to only that resource group.
  • 當使用者只需要存取監視資料時,切勿針對訂用帳戶範圍內的儲存體帳戶或事件中樞授與 ListKeys 權限。Never grant the ListKeys permission for either storage accounts or event hubs at subscription scope when a user only needs access to monitoring data. 反之,對資源或資源群組 (如果您有專用的監視資源群組) 範圍內的使用者授與這些權限。Instead, give these permissions to the user at a resource or resource group (if you have a dedicated monitoring resource group) scope.

當使用者或應用程式需要存取儲存體帳戶中的監視資料時,您應該在包含具有 Blob 儲存體服務層級唯讀存取權的監視資料儲存體帳戶上 產生帳戶 SASWhen a user or application needs access to monitoring data in a storage account, you should generate an Account SAS on the storage account that contains monitoring data with service-level read-only access to blob storage. 在 PowerShell 中,它看起來應該如下所示:In PowerShell, this might look like:

$context = New-AzStorageContext -ConnectionString "[connection string for your monitoring Storage Account]"
$token = New-AzStorageAccountSASToken -ResourceType Service -Service Blob -Permission "rl" -Context $context

接著,您可將權杖提供給需要從該儲存體帳戶進行讀取的實體,且它可以從該儲存體帳戶中的所有 blob 進行列出並讀取。You can then give the token to the entity that needs to read from that storage account, and it can list and read from all blobs in that storage account.

或者,如果您需要使用 RBAC 控制此權限,可以在該特定儲存體帳戶上對該實體授與 Microsoft.Storage/storageAccounts/listkeys/action 權限。Alternatively, if you need to control this permission with RBAC, you can grant that entity the Microsoft.Storage/storageAccounts/listkeys/action permission on that particular storage account. 對於需要設定診斷設定或記錄檔設定檔以封存至儲存體帳戶的使用者而言,這是必要的。This is necessary for users who need to be able to set a diagnostic setting or log profile to archive to a storage account. 例如,您可以針對只需要從一個儲存體帳戶讀取的使用者或應用程式,建立下列 Azure 自訂角色:For example, you could create the following Azure custom role for a user or application that only needs to read from one storage account:

$role = Get-AzRoleDefinition "Reader"
$role.Id = $null
$role.Name = "Monitoring Storage Account Reader"
$role.Description = "Can get the storage account keys for a monitoring storage account."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/storageAccounts/listkeys/action")
$role.Actions.Add("Microsoft.Storage/storageAccounts/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myMonitoringStorageAccount")
New-AzRoleDefinition -Role $role 

警告

ListKeys 權限可讓使用者列出主要和次要的儲存體帳戶金鑰。The ListKeys permission enables the user to list the primary and secondary storage account keys. 在該儲存體帳戶中所有已簽署的服務 (blob、佇列、資料表、檔案) 中,這些金鑰會對使用者授與所有已簽署的權限 (讀取、寫入、建立 blob、刪除 blob 等)。These keys grant the user all signed permissions (read, write, create blobs, delete blobs, etc.) across all signed services (blob, queue, table, file) in that storage account. 我們建議盡可能使用上述的帳戶 SAS。We recommend using an Account SAS described above when possible.

可以使用事件中樞採用類似的模式,但您必須先建立專用的接聽授權規則。A similar pattern can be followed with event hubs, but first you need to create a dedicated Listen authorization rule. 如果您要對僅需要接聽監視相關事件中樞的應用程式授與存取權,請執行下列作業︰If you want to grant, access to an application that only needs to listen to monitoring-related event hubs, do the following:

  1. 在針對只有接聽宣告的串流監視資料所建立的事件中樞上建立共用存取原則。Create a shared access policy on the event hub(s) that were created for streaming monitoring data with only Listen claims. 這可以在入口網站中完成。This can be done in the portal. 例如,您可能會將它稱為 “monitoringReadOnly”。For example, you might call it “monitoringReadOnly.” 可能的話,您會直接將該金鑰提供給取用者,並略過下一個步驟。If possible, you will want to give that key directly to the consumer and skip the next step.

  2. 如果取用者需要能夠取得隨選金鑰,請對使用者授與該事件中樞的 ListKeys 動作。If the consumer needs to be able to get the key ad hoc, grant the user the ListKeys action for that event hub. 對於需要設定診斷設定或記錄檔設定檔以串流至事件中樞的使用者而言,這也是必要的。This is also necessary for users who need to be able to set a diagnostic setting or log profile to stream to event hubs. 例如,您可能會建立 RBAC 規則︰For example, you might create an RBAC rule:

    $role = Get-AzRoleDefinition "Reader"
    $role.Id = $null
    $role.Name = "Monitoring Event Hub Listener"
    $role.Description = "Can get the key to listen to an event hub streaming monitoring data."
    $role.Actions.Clear()
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/authorizationrules/listkeys/action")
    $role.Actions.Add("Microsoft.ServiceBus/namespaces/Read")
    $role.AssignableScopes.Clear()
    $role.AssignableScopes.Add("/subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.ServiceBus/namespaces/mySBNameSpace")
    New-AzRoleDefinition -Role $role 
    

在受保護虛擬網路內監視Monitoring within a secured Virtual Network

Azure 監視器需要存取您的 Azure 資源,才能提供您啟用的服務。Azure Monitor needs access to your Azure resources to provide the services you enable. 如果您想要監視 Azure 資源,同時防止其存取公用網際網路,您可以啟用下列設定。If you would like to monitor your Azure resources while still securing them from access to the Public Internet, you can enable the following settings.

受保護的儲存體帳戶Secured Storage Accounts

監視資料通常會寫入到儲存體帳戶。Monitoring data is often written to a storage account. 您可能想要確定未經授權的使用者無法存取複製到儲存體帳戶的資料。You may want to make sure that the data copied to a Storage Account cannot be accessed by unauthorized users. 為了增加安全性,您可以限制儲存體帳戶使用「選取的網路」來鎖定網路存取權,只允許已授權的資源與信任的 Microsoft 服務存取儲存體帳戶。For additional security, you can lock down network access to only allow your authorized resources and trusted Microsoft services access to a storage account by restricting a storage account to use "selected networks". Azure 儲存體設定對話方塊 Azure 監視器可視為「信任的 Microsoft 服務」之一。如果允許信任的 Microsoft 服務存取受保護儲存體,則 Azure 監視器會擁有受保護儲存體帳戶的存取權,能在受保護情況下,將 Azure 監視器資源記錄、活動記錄與計量寫入到儲存體帳戶。Azure Storage Settings Dialog Azure Monitor is considered one of these "trusted Microsoft services" If you allow trusted Microsoft services to access your Secured Storage, Azure monitor will have access to your secured Storage Account; enabling writing Azure Monitor resource logs, activity log, and metrics to your Storage Account under these protected conditions. 這也會讓 Log Analytics 讀取來自受保護儲存體的記錄。This will also enable Log Analytics to read logs from secured storage.

如需詳細資訊,請參閱網路安全性與 Azure 儲存體For more information, see Network security and Azure Storage

後續步驟Next steps