必选控制策略
必选控制策略由RGC提供,且无法停用。这些控制策略将会自动应用于组织结构上的每个OU。
RGC-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config聚合器
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_AGGREGATION_DELETE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:aggregators:delete",
"rms:aggregationAuthorizations:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
},
{
"Sid": "CONFIG_AGGREGATION_UPDATE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:aggregators:create",
"rms:aggregators:update"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_AUDIT_BUCKET_DELETION_PROHIBITED
名称:不允许删除日志桶
实现:SCP
类型:预防性控制策略
功能:防止删除RGC在日志归档账号中创建的OBS桶。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_DELETION_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:DeleteBucket"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的加密配置
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutEncryptionConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CONFIG_TAG_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config标签
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms::tagResource",
"rms::unTagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的生命周期
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutLifecycleConfiguration"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
名称:不允许修改日志桶的桶日志配置
实现:SCP
类型:预防性控制策略
功能:防止对RGC创建的OBS桶进行配置更改。
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketLogging"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
名称:不允许修改RGC创建的日志桶的桶策略
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"Effect": "Deny",
"Action": [
"obs:bucket:PutBucketPolicy",
"obs:bucket:DeleteBucketPolicy"
],
"Resource": [
"obs:*::bucket:rgcservice-managed-*-logs-*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_CES_CHANGE_PROHIBITED
名称:不允许对RGC配置的CES进行更改
实现:SCP
类型:预防性控制策略
功能:防止更改RGC为监控环境而设置的CES配置。
{
"Version": "5.0",
"Statement": [{
"Sid": "CES_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:alarms:put*",
"ces:alarms:delete*",
"ces:alarms:addResources"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-ConfigComplianceChangeEventRule"
}
}
},
{
"Sid": "CES_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"ces:tags:create"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CHANGE_PROHIBITED
名称:不允许更改Config记录器
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:trackerConfig:delete",
"rms:trackerConfig:put"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_IAM_ROLE_CHANGE_PROHIBITED
名称:不允许更改RGC在搭建Landing Zone时创建的IAM委托
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "IAM_ROLE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"iam:agencies:attachPolicy*",
"iam:agencies:detachPolicy*",
"iam:agencies:create*",
"iam:agencies:update*",
"iam:agencies:delete*",
"iam:agencies:updateTrustPolicy*"
],
"Resource": [
"iam::*:agency:RGC*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": [
"sts::*:assumed-agency:RGCServiceExecutionAgency/*",
"sts::*:assumed-agency:OrganizationAccountAccessAgency/*"
]
}
}
}]
}
RGC-GR_CONFIG_RULE_CHANGE_PROHIBITED
名称:不允许更改RGC创建的Config规则
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "CONFIG_RULE_UPDATE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:policyAssignments:create",
"rms:policyAssignments:update"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
},
{
"Sid": "CONFIG_RULE_DELETE_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"rms:policyAssignments:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
}
]
}
RGC-GR_FUNCTIONGRAPH_CHANGE_PROHIBITED
名称:不允许修改RGC设置的FunctionGraph函数
实现:SCP
类型:预防性控制策略
功能:不允许更改RGC设置的FunctionGraph函数。
{
"Version": "5.0",
"Statement": [{
"Sid": "FUNCTIONGRAPH_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"functiongraph:function:createFunction",
"functiongraph:function:deleteFunction",
"functiongraph:function:updateFunctionCode",
"functiongraph:function:updateMaxInstanceConfig",
"functiongraph:function:createVersion",
"functiongraph:function:createEvent",
"functiongraph:function:deleteEvent",
"functiongraph:function:updateEvent",
"functiongraph:function:updateReservedInstanceCount",
"functiongraph:function:updateFunctionConfig"
],
"Resource": [
"functiongraph:*:*:function:rgcservice-managed/RGC-NotificationForwarder"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
}
}
}]
}
RGC-GR_SMN_CHANGE_PROHIBITED
名称:不允许修改rgc设置的SMN主题
实现:SCP
类型:预防性控制策略
功能:防止更改RGC设置的SMN通知设置。
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:update*",
"smn:topic:delete*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:ResourceTag/rgcservice-managed": [
"RGC-SecurityNotifications",
"RGC-AllConfigNotifications",
"RGC-AggregateSecurityNotifications"
]
}
}
},
{
"Sid": "SMN_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:tag:create",
"smn:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_SMN_SUBSCRIPTION_CHANGE_PROHIBITED
名称:不允许修改RGC设置的SMN订阅
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "SMN_SUBSCRIPTION_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"smn:topic:subscribe",
"smn:topic:deleteSubscription"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
}]
}
RGC-GR_LTS_CHANGE_PROHIBITED
名称:不允许更改RGC创建的LTS的配置
实现:SCP
类型:预防性控制策略
{
"Version": "5.0",
"Statement": [{
"Sid": "LOG_GROUP_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"lts:logGroup:deleteLogGroup",
"lts:logGroup:updateLogGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"StringMatch": {
"g:ResourceTag/rgcservice-managed": "RGC-*"
}
}
},
{
"Sid": "LOG_TAG_CHANGE_PROHIBITED",
"Effect": "Deny",
"Action": [
"lts:tag:create",
"lts:tag:delete"
],
"Resource": [
"*"
],
"Condition": {
"StringNotMatch": {
"g:PrincipalUrn": "sts::*:assumed-agency:RGCServiceExecutionAgency/*"
},
"ForAnyValue:StringMatch": {
"g:TagKeys": "rgcservice-managed"
}
}
}
]
}
RGC-GR_CONFIG_CTS_TRACKER_EXISTS
名称:账号未创建CTS追踪器,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测账号中是否创建CTS追踪器。
terraform {
required_providers {
huaweicloud = {
source = "huaweie.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-tracker-exists"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_tracker_exists"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "账号未创建CTS追踪器,视为“不合规”"
}#
待补充
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.PolicyAssignmentName
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
period = "TwentyFour_Hours"
status = "Enabled"
}
RGC-GR_DETECT_CTS_ENABLED_ON_SHARED_ACCOUNTS
名称:CTS追踪器未转储到LTS,视为“不合规”
实现:Config rule
类型:检测性控制策略
功能:检测CTS追踪器是否已转储到LTS。
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = "1.49.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "cts-lts-enable"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_cts_lts_enable"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "CTS追踪器未转储到LTS,视为“不合规”"
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "cts"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "trackers"
}
variable "RegionName" {
description = "policy region"
type = string
}
data "huaweicloud_rms_policy_definitions"
"ctsltsenable" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"cts_lts_enable" {
name = format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.ctsltsenable.definitions[0].id, "")
status = "Enabled"
parameters = {
}
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
}
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_READ_POLICY_CHECK
名称:桶可以被公开读,视为“不合规”
实现:Config rule
类型:检测性控制策略
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "obs-bucket-public-read-policy-check"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_obs_bucket_public_read_policy_check"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "A obs bucket is noncompliant if it can be read publicly."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "obs"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "buckets"
}
variable "RegionName" {
description = "policy region"
type = string
}
variable "IsGlobalResource" {
description = "is global resource"
type = bool
default = false
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.IsGlobalResource ? format("%s",
var.PolicyAssignmentName) : format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
status = "Enabled"
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
tags = {
"rgcservice-managed" = "RGC-ConfigRule"
}
}
RGC-GR_CONFIG_OBS_BUCKET_PUBLIC_WRITE_POLICY_CHECK
名称:桶可以被公开写,视为“不合规”
实现:Config rule
类型:检测性控制策略
terraform {
required_providers {
huaweicloud = {
source = "huawei.com/provider/huaweicloud"
version = ">=1.51.0"
}
}
}
provider "huaweicloud" {
endpoints = {}
insecure = true
}
variable "ConfigName" {
description = "config name"
type = string
default = "obs-bucket-public-write-policy-check"
}
variable "PolicyAssignmentName" {
description = "policy assignment name"
type = string
default = "rgc_obs_bucket_public_write_policy_check"
}
variable "ConfigRuleDescription" {
description = "config rule description"
type = string
default = "A bucket is noncompliant if it can be written publicly."
}
variable "ResourceProvider" {
description = "resource provider"
type = string
default = "obs"
}
variable "ResourceType" {
description = "resource type"
type = string
default = "buckets"
}
variable "RegionName" {
description = "policy region"
type = string
}
variable "IsGlobalResource" {
description = "is global resource"
type = bool
default = false
}
data "huaweicloud_rms_policy_definitions"
"rms_policy_definitions_check" {
name =
var.ConfigName
}
resource "huaweicloud_rms_policy_assignment"
"rms_policy_assignment_check" {
name =
var.IsGlobalResource ? format("%s",
var.PolicyAssignmentName) : format("%s_%s",
var.PolicyAssignmentName,
var.RegionName)
description =
var.ConfigRuleDescription
policy_definition_id =
try (data.huaweicloud_rms_policy_definitions.rms_policy_definitions_check.definitions[0].id, "")
status = "Enabled"
policy_filter {
region =
var.RegionName
resource_provider =
var.ResourceProvider
resource_type =
var.ResourceType
}
tags = {
"rgcservice-managed" = "RGC-ConfigRule"
}
}