ros-templates/documents/solution/security-and-compliance/only-approved-cloud-services.yml at master · aliyun/ros-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
ROSTemplateFormatVersion: '2015-09-01'
Description:
  zh-cn: 创建管控策略，限制ECS和RDS操作于华北2和华东2，绑定至指定账户。
  en: Create control policies to restrict ECS and RDS operations to the Beijing 2
    and Shanghai 2 regions, and apply them to designated accounts.
Parameters:
  ControlPolicyName:
    Type: String
    Label:
      en: ControlPolicy name
      zh-cn: 管控策略名称
    Description:
      en: No more than 128 characters, including English letters, numbers, and dashes -.
      zh-cn: 不多于 128 字符，可包含英文字母、数字和短划线 -。
    AssociationProperty: AutoCompleteInput
    AssociationPropertyMetadata:
      Length: 6
      Prefix: control-policy-
      CharacterClasses:
        - Class: lowercase
          min: 6
  Accounts:
    Type: Json
    Label:
      en: Accounts bound to management and control policies.
      zh-cn: 绑定管控策略的账号。
    AssociationProperty: ALIYUN::ResourceManager::Account
    MinLength: 1
    MaxLength: 3
Resources:
  AutoEnableControlPolicy:
    Type: ALIYUN::ROS::AutoEnableService
    Properties:
      ServiceName: ControlPolicy
  ControlPolicy:
    Type: ALIYUN::ResourceManager::ControlPolicy
    Properties:
      ControlPolicyName:
        Ref: ControlPolicyName
      Description: 仅允许对华北2（北京）和华东2（上海）地域的 ECS 和 RDS 进行操作.
      EffectScope: RAM
      PolicyDocument: |-
        {
          "Statement":[
            {
              "Effect": "Allow",
              "Action":[
                        "ecs:*",
                        "rds:*"
              ],
              "Resource": [
                        "acs:*:*cn-beijing*:*:*",
                        "acs:*:*cn-shanghai*:*:*"
              ]
            },
            {
              "Effect": "Allow",
              "Action":[
                        "sts:AssumeRole"
              ],
              "Resource": "*"
            }
          ],
          "Version": "1"
        }


  ControlPolicyAttachment:
    Type: ALIYUN::ResourceManager::ControlPolicyAttachment
    Count:
      Fn::Length:
        Ref: Accounts
    Properties:
      PolicyId:
        Ref: ControlPolicy
      TargetId:
        Fn::Select:
          - Ref: ALIYUN::Index
          - Ref: Accounts
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
        - ControlPolicyName
        - Accounts
    TemplateTags:
      - acs:technical-solution:security-and-compliance:限制企业仅使用已批准的云服务-tech_solu_76
  ALIYUN::ROS::Composer:
    acc60e59:
      Rect:
        - 180
        - 180
        - 40
        - 100
        - 1
        - 0
      ResT: Composer::ROSParameter::AlibabaCloud
    b33aabe8:
      Parent: acc60e59
      Rect:
        - 140
        - 110
        - 60
        - 150
        - 2
        - 0
      ResT: Composer::ROSParameter::Region
    daeb00ba:
      Res:
        - AutoEnableControlPolicy
      Parent: b33aabe8
      Rect:
        - 40
        - 40
        - 140
        - 200
        - 3
        - 0
      Hidden: true
    2bf5a642:
      Res:
        - ControlPolicy
        - ControlPolicyAttachment
      Ref:
        - ControlPolicyAttachment
      Parent: b33aabe8
      Rect:
        - 40
        - 40
        - 110
        - 200
        - 3
        - 0