Mandatory Governance Policies
Mandatory governance policies are owned by RGC. These policies are applied by default to every OU on your landing zone, and they cannot be disabled.
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents deletion of OBS buckets created in the log archive account.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_DELETION_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:DeleteBucket"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to encryption for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutEncryptionConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents lifecycle configuration changes for the OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutLifecycleConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketLogging"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents policy changes for OBS buckets created in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketPolicy",
"obs:bucket:DeleteBucketPolicy"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CES_CHANGE_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Cloud Eye that RGC has configured for monitoring the environment.
{
"Version": "5.0",
"Statement": [{
"Sid": "CES_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:alarms:put*",
"ces:alarms:delete*",
"ces:alarms:addResources"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule"
}
}
},
{
"Sid": "CES_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:tags:create"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CHANGE_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Config.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CONFIG_ENABLED
Implementation: SCPs
Behavior: preventive
Function: This policy enables Config in all available regions.
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to FunctionGraph set by RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"functiongraph:function:createFunction",
"functiongraph:function:deleteFunction",
"functiongraph:function:updateFunctionCode",
"functiongraph:function:updateMaxInstanceConfig",
"functiongraph:function:createVersion",
"functiongraph:function:createEvent",
"functiongraph:function:deleteEvent",
"functiongraph:function:updateEvent",
"functiongraph:function:updateReservedInstanceCount",
"functiongraph:function:updateFunctionConfig"
],
"Resource": [
"functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_SMN_CHANGE_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to simple message notification (SMN) configured in RGC.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:update*",
"smn:topic:delete*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
},
{
"Sid": "SMN_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:tag:create",
"smn:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to SMN subscriptions configured in RGC. These subscriptions will trigger notifications for Config rules compliance changes.
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:subscribe",
"smn:topic:deleteSubscription"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
}]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
