Key concepts

Assured Workloads provides Google Cloud users with the ability to apply controls to a folder in support of regulatory, regional, or sovereign requirements. This page provides information about its key components.

Assured Workloads folders

An Assured Workloads folder is the top-level regulatory boundary for your workloads. Each Assured Workloads folder is configured with (and actively enforces) controls that meet the selected control package's regulatory requirements. Assured Workloads folders are also the container for your resources that must adhere to those requirements, such as projects that contain your workloads. Assured Workloads folders and their resources are constantly monitored for adherence to compliance requirements.

For example, if you need to meet the regulatory requirements for Impact Level 4 (IL4), you would create an Assured Workloads folder for IL4, and then create or migrate projects and resources to that Assured Workloads folder. Inside the folder, those projects will be configured to enforce IL4's regulatory requirements, and you will be notified if any resources fall out of compliance.

To ensure that all of your organization's resources are compliant with a specific control package, you can create an Assured Workloads folder as the parent for all of your other folders, projects, and resources. By making the top-level folder an Assured Workloads folder, its controls will be inherited by all child resources in the Google Cloud resource hierarchy. For more information, see How to set compliance controls for your Google Cloud organization.

Assured Workloads key management project

Depending on the control package you select, Assured Workloads can also create a key management project inside the Assured Workloads folder to store your CMEK encryption keys. Having one project for keys and another for resources establishes separation of duties between security administrators and developers.

What's next