Overview of Governance Policies

Governance policies provide ongoing governance for your landing zone environment. They enable you to quickly detect risks in the landing zone from the management account. In this way, you can eliminate the risks and maintain the landing zone in a timely manner to ensure compliance across the landing zone.

Behavior

Preventive: Preventive governance policies explicitly deny certain actions from being taken. They are implemented by SCPs. When a preventative governance policy is applied to a specified OU, all member accounts directly nested under this OU will inherit this policy.
Detective: Detective governance policies identify non-compliant resource configurations and inform you of such resources. They are implemented by Config rules. You can view those non-compliant resources on the RGC console. When a detective governance policy is applied to a specified OU, all member accounts directly nested under this OU will inherit this policy.
Proactive: Proactive governance policies check the resource configurations described in the IaC template before they are deployed. These policies are implemented by using ResourceFormation hooks. If any non-compliant configurations are found, the next operation using the template will be blocked.

Guidance

Mandatory: Governance policies are always enforced in the core OU and core accounts after you enable RGC and set up a landing zone. These policies cannot be disabled.
Strongly recommended: Governance policies are designed to enforce Huawei Cloud best practices for your multi-account environment. After setting up a landing zone, you are strongly recommended to enable these policies.
Elective: Governance policies are designed for cloud governance. You can enable these policies as needed.