必选控制策略
必选控制策略由RGC提供,且无法停用。这些控制策略将会自动应用于组织结构上的每个OU。
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
名称:不允许删除日志桶
实现:SCP
类型:预防性控制策略
功能:防止删除RGC在日志归档账号中创建的OBS桶。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_DELETION_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:DeleteBucket" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
名称:不允许修改日志桶的加密配置
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶的加密配置进行更改。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutEncryptionConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改日志桶的生命周期
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶的生命周期配置进行更改。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutLifecycleConfiguration" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改日志桶的桶日志配置
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶进行配置更改。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketLogging" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
名称:不允许修改日志桶的桶策略
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶的策略进行更改。
{ "Version": "5.0", "Statement": [{ "Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED", "Effect": "Deny", "Action": [ "obs:bucket:PutBucketPolicy", "obs:bucket:DeleteBucketPolicy" ], "Resource": [ "obs:*::bucket:rgcservice-managed-*-logs-*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_CES_CHANGE_PROHIBITED
名称:不允许对RGC配置的CES进行更改
实现:SCP
类型:预防性控制策略
功能:防止更改RGC为监控环境而设置的CES配置。
{ "Version": "5.0", "Statement": [{ "Sid": "CES_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:alarms:put*", "ces:alarms:delete*", "ces:alarms:addResources" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "StringMatch": { "g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule" } } }, { "Sid": "CES_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "ces:tags:create" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_CONFIG_CHANGE_PROHIBITED
名称:不允许更改Config记录器
实现:SCP
类型:预防性控制策略
功能:防止对Config进行配置更改。
{ "Version": "5.0", "Statement": [{ "Sid": "CONFIG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "rms:trackerConfig:delete", "rms:trackerConfig:put" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
名称:不允许修改RGC设置的FunctionGraph函数
实现:SCP
类型:预防性控制策略
功能:不允许更改RGC设置的FunctionGraph函数。
{ "Version": "5.0", "Statement": [{ "Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "functiongraph:function:createFunction", "functiongraph:function:deleteFunction", "functiongraph:function:updateFunctionCode", "functiongraph:function:updateMaxInstanceConfig", "functiongraph:function:createVersion", "functiongraph:function:createEvent", "functiongraph:function:deleteEvent", "functiongraph:function:updateEvent", "functiongraph:function:updateReservedInstanceCount", "functiongraph:function:updateFunctionConfig" ], "Resource": [ "functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" } } }] }
RGC-GR_SMN_CHANGE_PROHIBITED
名称:不允许修改RGC设置的SMN通知
实现:SCP
类型:预防性控制策略
功能:防止更改RGC设置的SMN通知设置。
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:update*", "smn:topic:delete*" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:ResourceTag/rgcservice-managed": [ "RGC-SecurityNotifications", "RGC-AllConfigNotifications", "RGC-AggregateSecurityNotifications" ] } } }, { "Sid": "SMN_TAG_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:tag:create", "smn:tag:delete" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:TagKeys": "rgcservice-managed" } } } ] }
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
名称:不允许订阅RGC设置的SMN通知
实现:SCP
类型:预防性控制策略
功能:防止更改RGC设置的SMN主题订阅,此订阅用于触发配置规则合规性更改的通知。
{ "Version": "5.0", "Statement": [{ "Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED", "Effect": "Deny", "Action": [ "smn:topic:subscribe", "smn:topic:deleteSubscription" ], "Resource": [ "*" ], "Condition": { "StringNotMatch": { "g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*" }, "ForAnyValue:StringMatch": { "g:ResourceTag/rgcservice-managed": [ "RGC-SecurityNotifications", "RGC-AllConfigNotifications", "RGC-AggregateSecurityNotifications" ] } } }] }
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
名称:账号未创建CTS追踪器,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测账号中是否创建CTS追踪器。
terraform { required_providers { huaweicloud = { source = "huaweie.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "cts-tracker-exists" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_cts_tracker_exists" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "账号未创建CTS追踪器,视为“不合规”" }# 待补充 variable "RegionName" { description = "policy region" type = string } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.PolicyAssignmentName description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") period = "TwentyFour_Hours" status = "Enabled" }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_READ_POLICY_CHECK
名称:桶可以被公开读,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测桶策略是否为公共读。
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-read-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_read_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "桶可以被公开读,视为“不合规”" } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_WRITE_POLICY_CHECK
名称:桶可以被公开写,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测桶策略是否为公共读写。
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.51.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "obs-bucket-public-write-policy-check" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_obs_bucket_public_write_policy_check" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "桶可以被公开写,视为“不合规”" } variable "ResourceProvider" { description = "resource provider" type = string default = "obs" } variable "ResourceType" { description = "resource type" type = string default = "buckets" } variable "RegionName" { description = "policy region" type = string } variable "IsGlobalResource" { description = "is global resource" type = bool default = false } data "huaweicloud_rms_policy_definitions" "rms_policy_definitions_check" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "rms_policy_assignment_check" { name = var.IsGlobalResource ? format("%s", var.PolicyAssignmentName) : format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "") status = "Enabled" policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
名称:CTS追踪器未转储到LTS,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测CTS追踪器是否已转储到LTS。
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = "1.49.0" } } } provider "huaweicloud" { endpoints = {} insecure = true } variable "ConfigName" { description = "config name" type = string default = "cts-lts-enable" } variable "PolicyAssignmentName" { description = "policy assignment name" type = string default = "rgc_cts_lts_enable" } variable "ConfigRuleDescription" { description = "config rule description" type = string default = "CTS追踪器未转储到LTS,视为“不合规”" } variable "ResourceProvider" { description = "resource provider" type = string default = "cts" } variable "ResourceType" { description = "resource type" type = string default = "trackers" } variable "RegionName" { description = "policy region" type = string } data "huaweicloud_rms_policy_definitions" "ctsltsenable" { name = var.ConfigName } resource "huaweicloud_rms_policy_assignment" "cts_lts_enable" { name = format("%s_%s", var.PolicyAssignmentName, var.RegionName) description = var.ConfigRuleDescription policy_definition_id = try (data.huaweicloud_rms_policy_definitions.ctsltsenable.definitions[0].id, "") status = "Enabled" parameters = { } policy_filter { region = var.RegionName resource_provider = var.ResourceProvider resource_type = var.ResourceType } }