安全产品管理涉及的安全控制

禁止修改AWS Config的配置

通过禁止 AWS Config 设置更改，确保 AWS Config 以一致的方式记录资源配置。建议所有OU都是用此SCP。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GRCONFIGENABLED",
            "Effect": "Deny",
            "Action": [
                "config:DeleteConfigurationRecorder",
                "config:DeleteDeliveryChannel",
                "config:DeleteRetentionConfiguration",
                "config:PutConfigurationRecorder",
                "config:PutDeliveryChannel",
                "config:PutRetentionConfiguration",
                "config:StopConfigurationRecorder",
                "config:PutConfigRule",
                "config:DeleteConfigRule",
                "config:DeleteEvaluationResults",
                "config:DeleteConfigurationAggregator",
                "config:PutConfigurationAggregator"
            ],
            "Resource": ["*"],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
                }
            }
        }
    ]
}