Create a new folder in a workload environment (IL4, CJIS)

This topic guides you through setting up a new Assured Workloads environment in Google Cloud console for IL4 and CJIS compliance regimes. Note that Assured Workloads supports the IL4 compliance regime in the Preview stage.

For more information about Assured Workloads, see the Assured Workloads overview.

Before you begin

Assign Identity and Access Management permissions

Assign the Assured Workloads Administrator Identity and Access Management (IAM) role, which contains the minimum IAM permission levels to create and access Assured Workloads environments.

To grant the role, run the following gcloud command:

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="MEMBER" \
    --role="roles/assuredworkloads.admin"

Replace the following:

  • ORGANIZATION_ID: your organization identifier
  • MEMBER: the email address of the user you want to grant the role to, in the format example@customer.org

The roles/assuredworkloads.admin role enables the creation of workload environments.

To learn how more about to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.

For more information about the IAM roles related to Assured Workloads, see IAM roles.

Access Transparency configuration

Access Transparency is required for certain platform controls. To use these controls, enable Access Transparency. See Access Transparency documentation to learn more.

Create a new folder in a workload environment

To create a new workload environment, do the following:

  1. In the Google Cloud console, go to the Assured Workloads page.

    Go to Assured Workloads

  2. On the Google Cloud console toolbar, click Select a project, and then choose your organization.

  3. Click Create.

  4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.

  5. In the step to Select jurisdiction, select the United States jurisdiction from the drop-down menu, and then click Next.

  6. In the step to Select a compliance type to be supported by your folder, select the IL4 or CJIS option and click Next.

  7. In the step to Select a region, select your desired region to deploy resources under the Assured Workloads environment and click Next.

  8. In the step to Review the compliance controls, ensure that you understand the constraints and controls for your workload. Additionally, ensure that you review the list of supported products for IL4 and CJIS.

  9. Click Next.

  10. In the step to Configure your folder:

    • Provide a Folder name for the new folder, such as aw-example.
    • For the Parent resource, provide the folder name or browse your organization's folders to specify the parent folder that has already been onboarded to Assured Workloads.
  11. Click Next.

  12. On the step to Configure key management, you will create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). For more information about key management in Assured Workloads, see Supporting compliance with key management:

    • In the Key ring name field, enter the name of the new key ring.
    • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. Do not include sensitive data or personally identifiable information (PII) in the project ID.
    • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
    • Select the billing account that's associated with your Google Cloud organization.
  13. On the last step, review the details about your new Assured Workloads environment and ensure that they are correct. Then, click Create.

Assured Workloads creates the following resources:

  • An Assured Workloads resource folder, which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
  • Organization policies, to enforce resource location constraint and support case routing.
  • A CMEK project that contains the configured CMEK key ring.

    If you use CMEK, see Create and obtain a CMEK key to learn more.

What's next