Updated on 2024-05-24 GMT+08:00

Overview of Governance Policies

Governance policies provide ongoing governance for your landing zone environment. They enable you to quickly detect risks in the landing zone from the management account. In this way, you can eliminate the risks and maintain the landing zone in a timely manner to ensure compliance across the landing zone.

Behavior

  • Preventive: Preventive governance policies explicitly deny certain actions from being taken. They are implemented by SCPs. When a preventative governance policy is applied to a specified OU, all directly nested member accounts under this OU will inherit this policy.
  • Detective: Detective governance policies identify non-compliant resource configurations and inform you of such resources when they are discovered. They are implemented by Config rules. You can view these resources on the RGC console. When a detective governance policy is applied to a specified OU, all directly nested member accounts under this OU will inherit this policy.

Guidance

  • Mandatory governance policies are always enforced in the core OU and core accounts after you enable RGC and set up a landing zone. These policies cannot be disabled.
  • Strongly recommended governance policies are designed to enforce Huawei Cloud best practices for multi-account environment. After setting up a landing zone, you are strongly recommended to enable these policies.
  • Elective governance policies are designed for cloud governance. You can enable these policies as needed.

Scenarios

  • Establishing logging and monitoring
  • Enforcing the least privilege
  • Limiting network access
  • Encrypting data at rest
  • Protecting data integrity
  • Protecting configurations
  • Optimizing costs