更新时间:2024-05-11 GMT+08:00
必选控制策略
必选控制策略由RGC提供,且无法停用。这些控制策略将会自动应用于组织结构上的每个OU。
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
实现:SCP
类型:Preventive
功能:防止删除RGC在日志归档账号中创建的OBS桶。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_DELETION_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:DeleteBucket"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
实现:SCP
类型:Preventive
功能:防止对RGC创建的OBS桶的加密配置进行更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutEncryptionConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
实现:SCP
类型:Preventive
功能:防止对RGC创建的OBS桶的生命周期配置进行更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutLifecycleConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
实现:SCP
类型:Preventive
功能:防止对RGC创建的OBS桶进行配置更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketLogging"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
实现:SCP
类型:Preventive
功能:防止对RGC创建的OBS桶的策略进行更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketPolicy",
"obs:bucket:DeleteBucketPolicy"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
实现:Config
类型:Detective
功能:检测Security组织单元下的账号是否启用了CTS。
RGC-GR_CES_CHANGE_PROHIBITED
实现:SCP
类型:Preventive
功能:防止更改RGC为监控环境而设置的CES配置。
{
"Version": "5.0",
"Statement": [{
"Sid": "CES_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:alarms:put*",
"ces:alarms:delete*",
"ces:alarms:addResources"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule"
}
}
},
{
"Sid": "CES_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:tags:create"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CHANGE_PROHIBITED
实现:SCP
类型:Preventive
功能:防止对Config进行配置更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CONFIG_ENABLED
实现:SCP
类型:Preventive
功能:在所有可用区域中启用Config。
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
实现:SCP
类型:Preventive
功能:不允许更改RGC设置的FunctionGraph函数。
{
"Version": "5.0",
"Statement": [{
"Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"functiongraph:function:createFunction",
"functiongraph:function:deleteFunction",
"functiongraph:function:updateFunctionCode",
"functiongraph:function:updateMaxInstanceConfig",
"functiongraph:function:createVersion",
"functiongraph:function:createEvent",
"functiongraph:function:deleteEvent",
"functiongraph:function:updateEvent",
"functiongraph:function:updateReservedInstanceCount",
"functiongraph:function:updateFunctionConfig"
],
"Resource": [
"functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_SMN_CHANGE_PROHIBITED
实现:SCP
类型:Preventive
功能:防止更改RGC设置的SMN通知设置。
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:update*",
"smn:topic:delete*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
},
{
"Sid": "SMN_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:tag:create",
"smn:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
实现:SCP
类型:Preventive
功能:防止更改RGC设置的SMN主题订阅,此订阅用于触发配置规则合规性更改的通知。
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:subscribe",
"smn:topic:deleteSubscription"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
}]
}
父主题: 控制策略参考
