Organizational Policies for GCP High Risk data accounts

GCP high risk data organizational policies.

The following organizational constraints are provisioned in our GCP high risk accounts as part of our work with the RHEDCloud foundation for HIPAA class data (sensitive and restricted data), inherited from the high-risk org folder.


Easy Customer NameGCP Name of contraintSetting

Define allowed external IPs for VM instances  
 constraints/compute.vmExternalIpAccess
blocked

Define trusted image projects
constraints/compute.trustedImageProjects
none by default

Disable Automatic IAM Grants for Default Service Accounts
constraints/iam.automaticIamGrantsForDefaultServiceAccounts
blocked

Disable Automatic IAM Grants for Default Service Accounts
 constraints/iam.automaticIamGrantsForDefaultServiceAccounts
none

Disable service account creation
constraints/iam.disableServiceAccountCreation
blocked

Disable service account key creation
constraints/iam.disableServiceAccountKeyCreation
blocked

Disable VM nested virtualization
constraints/compute.disableNestedVirtualization
blocked

Domain restricted sharing
constraints/iam.allowedPolicyMemberDomains
only wisc.edu netIDs

Google Cloud Platform - Resource Location Restriction
constraints/gcp.resourceLocations
Limited to US regions

Require OS Login
constraints/compute.requireOsLogin
required