Help Center/
Resource Governance Center/
User Guide/
Governance Policy Management/
Governance Policy Guidance/
Mandatory Governance Policies
Updated on 2025-09-23 GMT+08:00
Mandatory Governance Policies
Mandatory governance policies are owned by RGC. These policies are applied by default to every OU on your landing zone, and they cannot be disabled.
RGC-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED
Name: Any changes to Config aggregators created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to Config aggregators created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_AGGREGATION_DELETE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:aggregators:delete",
"rms:aggregationAuthorizations:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
},
{
"Sid": "CONFIG_AGGREGATION_UPDATE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:aggregators:create",
"rms:aggregators:update"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
Name: The deletion of logging buckets is prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents deletion of OBS buckets created in the log archive account.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_DELETION_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:DeleteBucket"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
Name: Any changes to encryption for logging buckets created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to encryption for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutEncryptionConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CONFIG_TAG_CHANGE_PROHIBITED
Name: Any changes to Config tags created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to Config tags created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms::tagResource",
"rms::unTagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
Name: Any changes to lifecycle for logging buckets created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents lifecycle configuration changes for the OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutLifecycleConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
Name: Any changes to logging configurations for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketLogging"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
Name: Any changes to bucket policies for logging buckets created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to bucket policies for logging buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketPolicy",
"obs:bucket:DeleteBucketPolicy"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CES_CHANGE_PROHIBITED
Name: Any changes to Cloud Eye configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Cloud Eye that RGC has configured for monitoring the environment.
{
"Version": "5.0",
"Statement": [{
"Sid": "CES_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:alarms:put*",
"ces:alarms:delete*",
"ces:alarms:addResources"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule"
}
}
},
{
"Sid": "CES_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:tags:create"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CHANGE_PROHIBITED
Name: Any changes to the Config recorder are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Config.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_IAM_ROLE_CHANGE_PROHIBITED
Name: Any changes to the IAM agency created in RGC during the setup of a landing zone are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to the IAM agency created in RGC during the setup of a landing zone.
{
"Version": "5.0",
"Statement": [{
"Sid": "IAM_ROLE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"iam:agencies:attachPolicy*",
"iam:agencies:detachPolicy*",
"iam:agencies:create*",
"iam:agencies:update*",
"iam:agencies:delete*",
"iam:agencies:updateTrustPolicy*"
],
"Resource": [
"iam::*:agency:RGC*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": [
"sts::*:assumed-agency:RGCServiceExecutionAgency/*",
"sts::*:assumed-agency:OrganizationAccountAccessAgency/*"
]
}
}
}]
}
RGC-GR_CONFIG_RULE_CHANGE_PROHIBITED
Name: Any changes to Config rules created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to Config rules created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_RULE_UPDATE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:policyAssignments:create",
"rms:policyAssignments:update"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
},
{
"Sid": "CONFIG_RULE_DELETE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:policyAssignments:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
}
]
}
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
Name: Any changes to FunctionGraph functions configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to FunctionGraph set by RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"functiongraph:function:createFunction",
"functiongraph:function:deleteFunction",
"functiongraph:function:updateFunctionCode",
"functiongraph:function:updateMaxInstanceConfig",
"functiongraph:function:createVersion",
"functiongraph:function:createEvent",
"functiongraph:function:deleteEvent",
"functiongraph:function:updateEvent",
"functiongraph:function:updateReservedInstanceCount",
"functiongraph:function:updateFunctionConfig"
],
"Resource": [
"functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_SMN_CHANGE_PROHIBITED
Name: Any changes to SMN topics configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to simple message notification (SMN) configured in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:update*",
"smn:topic:delete*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
},
{
"Sid": "SMN_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:tag:create",
"smn:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
Name: Any changes to SMN subscriptions configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to SMN subscriptions configured in RGC. These subscriptions will trigger notifications for Config rules compliance changes.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:subscribe",
"smn:topic:deleteSubscription"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
}]
}
RGC-GR_LTS_CHANGE_PROHIBITED
Name: Any changes to LTS configurations created in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to LTS configurations created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "LOG_GROUP_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"lts:logGroup:deleteLogGroup",
"lts:logGroup:updateLogGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
},
{
"Sid": "LOG_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"lts:tag:create",
"lts:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
Name: This policy is non-compliant if there are no CTS trackers in an account.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether a CTS tracker is created in an account.
terraform {
required_providers {
huaweicloud = {
source = "huaweie.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-tracker-exists"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_tracker_exists"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "This policy is non-compliant if there are no CTS trackers in an account."
}#
To be updated
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.PolicyAssignmentName
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
period = "TwentyFour_Hours"
status = "Enabled"
}
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
Name: This policy is non-compliant if a CTS tracker is not transferred to LTS.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether a CTS tracker is transferred to LTS.
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = "1.49.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-lts-enable"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_lts_enable"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "This policy is non-compliant if a CTS tracker is not transferred to LTS."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "cts"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "trackers"
}
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"ctsltsenable" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"cts_lts_enable" {
name = format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.ctsltsenable.definitions[0].id, "")
status = "Enabled"
parameters = {
}
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
}
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_READ_POLICY_CHECK
Name: This policy is non-compliant if an OBS bucket allows public read.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether public read is configured for an OBS bucket for an account.
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "obs-bucket-public-read-policy-check"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_obs_bucket_public_read_policy_check"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "A obs bucket is noncompliant if it can be read publicly."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "obs"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "buckets"
}
variable "RegionName" {
description = "policy region"
type = string
}
variable "IsGlobalResource" {
description = "is global resource"
type = bool
default = false
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.IsGlobalResource ? format("%s",
var.PolicyAssignmentName) : format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
status = "Enabled"
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
tags = {
"rgcservice-managed" = "RGC-ConfigRule"
}
}
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_WRITE_POLICY_CHECK
Name: This policy is non-compliant if an OBS bucket allows public write.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether public write access is configured for an OBS bucket for an account.
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "obs-bucket-public-write-policy-check"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_obs_bucket_public_write_policy_check"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "A bucket is noncompliant if it can be written publicly."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "obs"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "buckets"
}
variable "RegionName" {
description = "policy region"
type = string
}
variable "IsGlobalResource" {
description = "is global resource"
type = bool
default = false
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.IsGlobalResource ? format("%s",
var.PolicyAssignmentName) : format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
status = "Enabled"
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
tags = {
"rgcservice-managed" = "RGC-ConfigRule"
}
}
Parent topic: Governance Policy Guidance
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
