Organizational Policies for GCP High Risk data accounts

GCP high risk data organizational policies.

The following organizational constraints are provisioned in our GCP high-risk accounts as part of our work with the RHEDCloud foundation for HIPAA class data (sensitive and restricted data). These policies are applied by default to all "high-risk" accounts.

Broadly, these policies are intended to:

  • Limit creation of Service Accounts
  • Limit resources to US regions
  • Limit logins to UW NetID Single Sign On, which includes multi-factor authentication
  • Enable additional monitoring and security tooling using Google Security Command Center Premium

These can be supplemented by additional [Link for document 115325 is unavailable at this time.]. Should you need assistance with or an exception to one of these policies, please Contact the Public Cloud Team 

To learn more about the constraints, see the Org Policy Constraints GCP documentation.

Easy Customer Name GCP Name of contraint Setting
Define allowed external IPs for VM instances constraints/compute.vmExternalIpAccess blocked
Define trusted image projects constraints/compute.trustedImageProjects none by default
Disable Automatic IAM Grants for Default Service Accounts constraints/iam.automaticIamGrantsForDefaultServiceAccounts blocked
Disable Automatic IAM Grants for Default Service Accounts constraints/iam.automaticIamGrantsForDefaultServiceAccounts none
Disable service account creation constraints/iam.disableServiceAccountCreation blocked
Disable service account key creation constraints/iam.disableServiceAccountKeyCreation blocked
Disable VM nested virtualization constraints/compute.disableNestedVirtualization blocked
Domain restricted sharing constraints/iam.allowedPolicyMemberDomains only wisc.edu netIDs
Google Cloud Platform - Resource Location Restriction constraints/gcp.resourceLocations Limited to US regions
Require OS Login constraints/compute.requireOsLogin required
Restrict Public IP access on Cloud SQL Instances constraints/sql.restrictPublicIp Enforced
Restrict VM IP Forwarding constraints/compute.vmCanIpForward All Denied
Shielded VMs constraints/compute.requireShieldedVm Enforced
Skip default network creation constraints/compute.skipDefaultNetworkCreation Enforced




Keywords:GCP high risk data organizational policies restricted sensitive high-risk   Doc ID:114316
Owner:Mike V.Group:Public Cloud
Created:2021-10-14 14:45 CDTUpdated:2022-06-20 16:03 CDT
Sites:Public Cloud
Feedback:  0   0