Organizational Policies for GCP High Risk data accounts

GCP high risk data organizational policies.

The following organizational constraints are provisioned in our GCP high-risk accounts as part of our work with the RHEDCloud foundation for HIPAA class data (sensitive and restricted data). These policies are applied by default to all "high-risk" accounts.

Broadly, these policies are intended to:

Limit creation of Service Accounts
Limit resources to US regions
Limit logins to UW NetID Single Sign On, which includes multi-factor authentication
Enable additional monitoring and security tooling using Google Security Command Center Premium

These can be supplemented by additional [Link for document 115325 is unavailable at this time.]. Should you need assistance with or an exception to one of these policies, please Contact the Public Cloud Team

To learn more about the constraints, see the Org Policy Constraints GCP documentation.

Easy Customer Name	GCP Name of contraint	Setting
Define allowed external IPs for VM instances	constraints/compute.vmExternalIpAccess	blocked
Define trusted image projects	constraints/compute.trustedImageProjects	none by default
Disable Automatic IAM Grants for Default Service Accounts	constraints/iam.automaticIamGrantsForDefaultServiceAccounts	blocked
Disable Automatic IAM Grants for Default Service Accounts	constraints/iam.automaticIamGrantsForDefaultServiceAccounts	none
Disable service account creation	constraints/iam.disableServiceAccountCreation	blocked
Disable service account key creation	constraints/iam.disableServiceAccountKeyCreation	blocked
Disable VM nested virtualization	constraints/compute.disableNestedVirtualization	blocked
Domain restricted sharing	constraints/iam.allowedPolicyMemberDomains	only wisc.edu netIDs
Google Cloud Platform - Resource Location Restriction	constraints/gcp.resourceLocations	Limited to US regions
Require OS Login	constraints/compute.requireOsLogin	required