Create a new Assured Workloads folder

This page describes how to create a new Assured Workloads folder for each compliance program.

For more information about Assured Workloads, see the Assured Workloads overview.

Select a compliance program

Select your desired compliance program to learn how to create an Assured Workloads folder:

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the CJIS compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for CJIS

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select CJIS from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the CJIS compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • A CMEK project that contains the configured CMEK key ring. See Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the FedRAMP Moderate compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. (Optional) Enable Access Transparency for the organization. Access Transparency is not required for FedRAMP Moderate.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP Moderate

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select FedRAMP Moderate from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP Moderate compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the FedRAMP High compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP High

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select FedRAMP High from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP High compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the HIPAA (Preview) compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. HIPAA (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for HIPAA (Preview)

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select HIPAA (Preview) from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HIPAA (Preview) compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the HITRUST (Preview) compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. HITRUST (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for HITRUST (Preview)

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select HITRUST (Preview) from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HITRUST (Preview) compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the IL4 compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL4

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select IL4 from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL4 compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the ITAR compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. Ensure that you understand the Restrictions and limitations associated with ITAR.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for ITAR

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select ITAR from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the ITAR compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Australia Regions with Assured Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Australia Regions with Assured Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Australia.
    6. Select Australia Regions with Assured Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions with Assured Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Canada Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Canada Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Canada.
    6. Select Canada Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the EU Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select European Union.
    6. Select EU Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the EU Regions and Support with Sovereignty Controls compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. Ensure that you understand the Restrictions and limitations associated with EU Regions and Support with Sovereignty Controls.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions and Support with Sovereignty Controls

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select European Union.
    6. Select EU Regions and Support with Sovereignty Controls from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support with Sovereignty Controls compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Israel Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Israel Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Israel.
    6. Select Israel Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the US Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for US Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select US Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

What's next