必选控制策略
必选控制策略由RGC提供,且无法停用。这些控制策略将会自动应用于组织结构上的每个OU。
RGC-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config聚合器
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_AGGREGATION_DELETE_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:aggregators:delete", "rms:aggregationAuthorizations:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-*" } } }, { "Sid": "CONFIG_AGGREGATION_UPDATE_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:aggregators:create", "rms:aggregators:update" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
名称:不允许删除日志桶
实现:SCP
类型:预防性控制策略
功能:防止删除RGC在日志归档账号中创建的OBS桶。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_DELETION_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:DeleteBucket" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的加密配置
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutEncryptionConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_CONFIG_TAG_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config标签
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms::tagResource", "rms::unTagResource" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } }] }
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的生命周期
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutLifecycleConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改日志桶的桶日志配置
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶进行配置更改。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketLogging" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的桶策略
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketPolicy", "obs:bucket:DeleteBucketPolicy" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_CES_CHANGE_PROHIBITED
名称:不允许对RGC配置的CES进行更改
实现:SCP
类型:预防性控制策略
功能:防止更改RGC为监控环境而设置的CES配置。
{ "Version": "5.0", "Statement": [{ "Sid": "CES_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:alarms:put*", "ces:alarms:delete*", "ces:alarms:addResources" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule" } } }, { "Sid": "CES_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:tags:create" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_CONFIG_CHANGE_PROHIBITED
名称:不允许更改Config记录器
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:trackerConfig:delete", "rms:trackerConfig:put" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_IAM_ROLE_CHANGE_PROHIBITED
名称:不允许更改RGC在搭建Landing Zone时创建的IAM委托
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "IAM_ROLE_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "iam:agencies:attachPolicy*", "iam:agencies:detachPolicy*", "iam:agencies:create*", "iam:agencies:update*", "iam:agencies:delete*", "iam:agencies:updateTrustPolicy*" ], "Resource": [ "iam::*:agency:RGC*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": [ "sts::*:assumed-agency:RGCServiceExecutionAgency/*", "sts::*:assumed-agency:OrganizationAccountAccessAgency/*" ] } } }] }
RGC-GR_CONFIG_RULE_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config规则
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_RULE_UPDATE_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:policyAssignments:create", "rms:policyAssignments:update" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } }, { "Sid": "CONFIG_RULE_DELETE_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:policyAssignments:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-*" } } } ] }
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
名称:不允许修改RGC设置的FunctionGraph函数
实现:SCP
类型:预防性控制策略
功能:不允许更改RGC设置的FunctionGraph函数。
{ "Version": "5.0", "Statement": [{ "Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "functiongraph:function:createFunction", "functiongraph:function:deleteFunction", "functiongraph:function:updateFunctionCode", "functiongraph:function:updateMaxInstanceConfig", "functiongraph:function:createVersion", "functiongraph:function:createEvent", "functiongraph:function:deleteEvent", "functiongraph:function:updateEvent", "functiongraph:function:updateReservedInstanceCount", "functiongraph:function:updateFunctionConfig" ], "Resource": [ "functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_SMN_CHANGE_PROHIBITED
名称:不允许修改rgc设置的SMN主题
实现:SCP
类型:预防性控制策略
功能:防止更改RGC设置的SMN通知设置。
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:update*", "smn:topic:delete*" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:ResourceTag/rgcservice-managed": [ "RGC-SecurityNotifications", "RGC-AllConfigNotifications", "RGC-AggregateSecurityNotifications" ] } } }, { "Sid": "SMN_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:tag:create", "smn:tag:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
名称:不允许修改RGC设置的SMN订阅
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:subscribe", "smn:topic:deleteSubscription" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-*" } } }] }
RGC-GR_LTS_CHANGE_PROHIBITED
名称:不允许更改RGC创建的LTS的配置
实现:SCP
类型:预防性控制策略
{ "Version": "5.0", "Statement": [{ "Sid": "LOG_GROUP_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "lts:logGroup:deleteLogGroup", "lts:logGroup:updateLogGroup" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-*" } } }, { "Sid": "LOG_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "lts:tag:create", "lts:tag:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
名称:账号未创建CTS追踪器,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测账号中是否创建CTS追踪器。
terraform { required_providers { huaweicloud = { source = "huaweie.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "cts-tracker-exists" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_cts_tracker_exists" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "账号未创建CTS追踪器,视为“不合规”" }# 待补充 variable "RegionName" { description = "policy region" type = string } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.PolicyAssignmentName description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") period = "TwentyFour_Hours" status = "Enabled" }
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
名称:CTS追踪器未转储到LTS,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测CTS追踪器是否已转储到LTS。
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = "1.49.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "cts-lts-enable" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_cts_lts_enable" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "CTS追踪器未转储到LTS,视为“不合规”" } variable "ResourceProvider" { description = "resource provider" type = string default = "cts" } variable "ResourceType" { description = "resource type" type = string default = "trackers" } variable "RegionName" { description = "policy region" type = string } data "huaweicloud_rms_policy_definitions" "ctsltsenable" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "cts_lts_enable" { name = format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.ctsltsenable.definitions[0].id, "") status = "Enabled" parameters = { } policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_READ_POLICY_CHECK
名称:桶可以被公开读,视为“不合规”
实现:Config rule
类型:检测性控制策略
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-read-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_read_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "A obs bucket is noncompliant if it can be read publicly." } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } tags = { "rgcservice-managed" = "RGC-ConfigRule" } }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_WRITE_POLICY_CHECK
名称:桶可以被公开写,视为“不合规”
实现:Config rule
类型:检测性控制策略
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-write-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_write_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "A bucket is noncompliant if it can be written publicly." } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } tags = { "rgcservice-managed" = "RGC-ConfigRule" } }