GCP high risk data organizational policies.
The following organizational constraints are provisioned in our GCP high-risk accounts as part of our work with the RHEDCloud foundation for HIPAA class data (sensitive and restricted data). These policies are applied by default to all "high-risk" accounts.
Broadly, these policies are intended to:
These can be supplemented by additional [Link for document 115325 is unavailable at this time.]. Should you need assistance with or an exception to one of these policies, please Contact the Public Cloud Team
To learn more about the constraints, see the Org Policy Constraints GCP documentation.
Easy Customer Name | GCP Name of contraint | Setting |
---|---|---|
Define allowed external IPs for VM instances | constraints/compute.vmExternalIpAccess | blocked |
Define trusted image projects | constraints/compute.trustedImageProjects | none by default |
Disable Automatic IAM Grants for Default Service Accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts | blocked |
Disable Automatic IAM Grants for Default Service Accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts | none |
Disable service account creation | constraints/iam.disableServiceAccountCreation | blocked |
Disable service account key creation | constraints/iam.disableServiceAccountKeyCreation | blocked |
Disable VM nested virtualization | constraints/compute.disableNestedVirtualization | blocked |
Domain restricted sharing | constraints/iam.allowedPolicyMemberDomains | only wisc.edu netIDs |
Google Cloud Platform - Resource Location Restriction | constraints/gcp.resourceLocations | Limited to US regions |
Require OS Login | constraints/compute.requireOsLogin | required |