-
Notifications
You must be signed in to change notification settings - Fork 35
/
multiple-accounts-support-configuration-auditing.yml
118 lines (118 loc) · 3.54 KB
/
multiple-accounts-support-configuration-auditing.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建资源目录、账户,配置合规审计,确保OSS安全策略,实现多账号统一合规管理。
en: Create resource directories and accounts, configure compliance audits, ensure
OSS security policies, and implement unified compliance management across multiple
accounts.
Parameters:
FolderName:
Type: String
Label:
zh-cn: 资源目录名称
en: Resource directory folder name
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 5
Prefix: ros-folder-
CharacterClasses:
- Class: lowercase
RDAccountName1:
Type: String
Label:
zh-cn: 资源目录成员名称1
en: Resource directory member name 1
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 5
Prefix: account1-
CharacterClasses:
- Class: lowercase
RDAccountName2:
Type: String
Label:
zh-cn: 资源目录成员名称2
en: Resource directory member name 2
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 5
Prefix: account2-
CharacterClasses:
- Class: lowercase
Resources:
RDFolder:
Type: ALIYUN::ResourceManager::Folder
Properties:
FolderName:
Ref: FolderName
RDAccount1:
Type: ALIYUN::ResourceManager::Account
Properties:
DeleteAccount: true
DisplayName:
Ref: RDAccountName1
FolderId:
Fn::GetAtt:
- RDFolder
- FolderId
RDAccount2:
Type: ALIYUN::ResourceManager::Account
Properties:
DeleteAccount: true
DisplayName:
Ref: RDAccountName2
FolderId:
Fn::GetAtt:
- RDFolder
- FolderId
ConfigAggregator:
Type: ALIYUN::Config::Aggregator
Properties:
AggregatorName:
Ref: ALIYUN::StackId
Description:
Ref: ALIYUN::StackId
AggregatorAccounts:
- AccountId:
Fn::GetAtt:
- RDAccount1
- AccountId
AccountType: ResourceDirectory
AccountName:
Ref: RDAccountName1
- AccountId:
Fn::GetAtt:
- RDAccount2
- AccountId
AccountType: ResourceDirectory
AccountName:
Ref: RDAccountName2
ConfigAggregateCompliancePack:
Type: ALIYUN::Config::AggregateCompliancePack
Properties:
AggregatorId:
Fn::GetAtt:
- ConfigAggregator
- AggregatorId
RiskLevel: 1
Description: 基于等保三级的部分要求,对阿里云上资源的合规性做检测。
CompliancePackName: 等保三级预检合规包
ConfigRules:
- ConfigRuleName: OSS存储空间ACL禁止公共读
Description: OSS存储空间的ACL策略禁止公共读,视为“合规”。
RiskLevel: 1
ManagedRuleIdentifier: oss-bucket-public-read-prohibited
- ConfigRuleName: OSS存储空间ACL禁止公共读写
Description: OSS存储空间的ACL策略禁止公共读写,视为“合规”。
RiskLevel: 1
ManagedRuleIdentifier: oss-bucket-public-write-prohibited
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RDAccountName1
- RDAccountName2
Label:
zh-cn: 资源目录配置
en: ResourceDirectory Configuration
TemplateTags:
- acs:technical-solution:security-and-compliance:企业多账号配置统一合规审计-tech_solu_68