Mandatory Governance Policies
Mandatory governance policies are owned by RGC. These policies are applied by default to every OU on your landing zone, and they cannot be disabled.
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
Name: The deletion of logging buckets is prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents deletion of OBS buckets created in the log archive account.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_DELETION_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:DeleteBucket"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
Name: Any changes to encryption for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to encryption for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutEncryptionConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
Name: Any lifecycle configuration changes to logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents lifecycle configuration changes for the OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutLifecycleConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
Name: Any changes to logging configurations for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketLogging"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
Name: Any changes to bucket policies for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents policy changes for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketPolicy",
"obs:bucket:DeleteBucketPolicy"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CES_CHANGE_PROHIBITED
Name: Any changes to Cloud Eye configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Cloud Eye that RGC has configured for monitoring the environment.
{
"Version": "5.0",
"Statement": [{
"Sid": "CES_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:alarms:put*",
"ces:alarms:delete*",
"ces:alarms:addResources"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule"
}
}
},
{
"Sid": "CES_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:tags:create"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CHANGE_PROHIBITED
Name: Any changes to the Config recorder are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Config.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
Name: Any changes to FunctionGraph functions configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to FunctionGraph set by RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"functiongraph:function:createFunction",
"functiongraph:function:deleteFunction",
"functiongraph:function:updateFunctionCode",
"functiongraph:function:updateMaxInstanceConfig",
"functiongraph:function:createVersion",
"functiongraph:function:createEvent",
"functiongraph:function:deleteEvent",
"functiongraph:function:updateEvent",
"functiongraph:function:updateReservedInstanceCount",
"functiongraph:function:updateFunctionConfig"
],
"Resource": [
"functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_SMN_CHANGE_PROHIBITED
Name: Any changes to SMN notifications configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to simple message notification (SMN) configured in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:update*",
"smn:topic:delete*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
},
{
"Sid": "SMN_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:tag:create",
"smn:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
Name: Any changes to SMN subscriptions in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to SMN subscriptions configured in RGC. These subscriptions will trigger notifications for Config rules compliance changes.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:subscribe",
"smn:topic:deleteSubscription"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
}]
}
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
Name: This policy is non-compliant if there are no CTS trackers in an account.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether a CTS tracker is created in an account.
terraform {
required_providers {
huaweicloud = {
source = "huaweie.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-tracker-exists"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_tracker_exists"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "This policy is non-compliant if there are no CTS trackers in an account."
}#
To be updated
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.PolicyAssignmentName
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
period = "TwentyFour_Hours"
status = "Enabled"
}
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
Name: This policy is non-compliant if a CTS tracker is not transferred to LTS.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether a CTS tracker is transferred to LTS.
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = "1.49.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-lts-enable"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_lts_enable"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "This policy is non-compliant if a CTS tracker is not transferred to LTS."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "cts"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "trackers"
}
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"ctsltsenable" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"cts_lts_enable" {
name = format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.ctsltsenable.definitions[0].id, "")
status = "Enabled"
parameters = {
}
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
