Mandatory Governance Policies
Mandatory governance policies are owned by RGC. These policies are applied by default to every OU on your landing zone, and they cannot be disabled.
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
Name: The deletion of logging buckets is prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents deletion of OBS buckets created in the log archive account.
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_DELETION_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:DeleteBucket" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
Name: Any changes to encryption for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to encryption for OBS buckets created in RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutEncryptionConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
Name: Any lifecycle configuration changes to logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents lifecycle configuration changes for the OBS buckets created in RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutLifecycleConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
Name: Any changes to logging configurations for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes for OBS buckets created in RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketLogging" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
Name: Any changes to bucket policies for logging buckets are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents policy changes for OBS buckets created in RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketPolicy", "obs:bucket:DeleteBucketPolicy" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_CES_CHANGE_PROHIBITED
Name: Any changes to Cloud Eye configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Cloud Eye that RGC has configured for monitoring the environment.
{ "Version": "5.0", "Statement": [{ "Sid": "CES_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:alarms:put*", "ces:alarms:delete*", "ces:alarms:addResources" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule" } } }, { "Sid": "CES_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:tags:create" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_CONFIG_CHANGE_PROHIBITED
Name: Any changes to the Config recorder are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents configuration changes to Config.
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:trackerConfig:delete", "rms:trackerConfig:put" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
Name: Any changes to FunctionGraph functions configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to FunctionGraph set by RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "functiongraph:function:createFunction", "functiongraph:function:deleteFunction", "functiongraph:function:updateFunctionCode", "functiongraph:function:updateMaxInstanceConfig", "functiongraph:function:createVersion", "functiongraph:function:createEvent", "functiongraph:function:deleteEvent", "functiongraph:function:updateEvent", "functiongraph:function:updateReservedInstanceCount", "functiongraph:function:updateFunctionConfig" ], "Resource": [ "functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_SMN_CHANGE_PROHIBITED
Name: Any changes to SMN notifications configured in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to simple message notification (SMN) configured in RGC.
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:update*", "smn:topic:delete*" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:ResourceTag/rgcservice-managed": [ "RGC-SecurityNotifications", "RGC-AllConfigNotifications", "RGC-AggregateSecurityNotifications" ] } } }, { "Sid": "SMN_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:tag:create", "smn:tag:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
Name: Any changes to SMN subscriptions in RGC are prohibited.
Implementation: SCPs
Behavior: preventive
Function: This policy prevents changes to SMN subscriptions configured in RGC. These subscriptions will trigger notifications for Config rules compliance changes.
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:subscribe", "smn:topic:deleteSubscription" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:ResourceTag/rgcservice-managed": [ "RGC-SecurityNotifications", "RGC-AllConfigNotifications", "RGC-AggregateSecurityNotifications" ] } } }] }
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
Name: This policy is non-compliant if there are no CTS trackers in an account.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether a CTS tracker is created in an account.
terraform { required_providers { huaweicloud = { source = "huaweie.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "cts-tracker-exists" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_cts_tracker_exists" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "This policy is non-compliant if there are no CTS trackers in an account." }# To be updated variable "RegionName" { description = "policy region" type = string } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.PolicyAssignmentName description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") period = "TwentyFour_Hours" status = "Enabled" }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_READ_POLICY_CHECK
Name: This policy is non-compliant if an OBS bucket allows public read.
Implementation: Config rules
Behavior: detective
Function: This policy checks whether an OBS bucket allows public read.
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-read-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_read_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "This policy is non-compliant if an OBS bucket allows public read." } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_WRITE_POLICY_CHECK
Name: This policy is non-compliant if an OBS bucket allows public write.
Implementation: Config rules
Behavior: detective
Function: This function checks whether an OBS bucket allows public write.
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-write-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_write_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "This policy is non-compliant if an OBS bucket allows public write." } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot