Create a new Assured Workloads folder

This page describes how to create a new Assured Workloads folder for each control package.

For more information about Assured Workloads, see the Assured Workloads overview.

Select a control package

Select a control package to learn how to create an Assured Workloads folder:

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the CJIS control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using CJIS in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for CJIS

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select CJIS from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the CJIS control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with CJIS in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for CJIS.
    • Analyze an existing project that you want to make compliant with CJIS, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the FedRAMP Moderate control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP Moderate

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select FedRAMP Moderate from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP Moderate control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with FedRAMP Moderate in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP Moderate.
    • Analyze an existing project that you want to make compliant with FedRAMP Moderate, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the FedRAMP High control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using FedRAMP High in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP High

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select FedRAMP High from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP High control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with FedRAMP High in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP High.
    • Analyze an existing project that you want to make compliant with FedRAMP High, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Healthcare and Life Sciences Controls control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Healthcare and Life Sciences Controls

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select Healthcare and Life Sciences Controls from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Healthcare and Life Sciences Controls control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Healthcare and Life Sciences Controls in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Healthcare and Life Sciences Controls.
    • Analyze an existing project that you want to make compliant with Healthcare and Life Sciences Controls, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Healthcare and Life Sciences Controls with US Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Healthcare and Life Sciences Controls with US Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Healthcare and Life Sciences Controls with US Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select Healthcare and Life Sciences Controls with US Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Healthcare and Life Sciences Controls with US Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Healthcare and Life Sciences Controls with US Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Healthcare and Life Sciences Controls with US Support.
    • Analyze an existing project that you want to make compliant with Healthcare and Life Sciences Controls with US Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL2 control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using IL2 in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL2

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select IL2 from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL2 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL2 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL2.
    • Analyze an existing project that you want to make compliant with IL2, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL4 control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using IL4 in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL4

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select IL4 from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL4 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL4 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL4.
    • Analyze an existing project that you want to make compliant with IL4, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL5 control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using IL5 in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL5

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select IL5 from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL5 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL5 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL5.
    • Analyze an existing project that you want to make compliant with IL5, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the ITAR control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. Ensure that you understand the Restrictions and limitations associated with ITAR.
    3. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    4. Ensure that you understand how to get support for Assured Workloads.
    5. Ensure that you understand the additional cost when using ITAR in Assured Workloads.
    6. Set up Cloud Identity and verify your domain.
    7. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for ITAR

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select ITAR from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the ITAR control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with ITAR in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for ITAR.
    • Analyze an existing project that you want to make compliant with ITAR, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the IRS Publication 1075 control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using IRS Publication 1075 in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IRS Publication 1075

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
    6. Select IRS Publication 1075 from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IRS Publication 1075 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IRS Publication 1075 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IRS Publication 1075.
    • Analyze an existing project that you want to make compliant with IRS Publication 1075, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Australia Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Australia Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Australia Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Australia Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Australia Regions.
    • Analyze an existing project that you want to make compliant with Australia Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Australia Regions with Assured Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Australia Regions with Assured Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Australia Regions with Assured Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Australia Regions with Assured Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions with Assured Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Australia Regions with Assured Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Australia Regions with Assured Support.
    • Analyze an existing project that you want to make compliant with Australia Regions with Assured Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Brazil Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Brazil Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Brazil Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Brazil Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Brazil Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Brazil Regions.
    • Analyze an existing project that you want to make compliant with Brazil Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Canada Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Canada Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Canada Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Canada Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Canada Regions.
    • Analyze an existing project that you want to make compliant with Canada Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Canada Regions and Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Canada Regions and Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Canada Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Canada Regions and Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Canada Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Canada Regions and Support.
    • Analyze an existing project that you want to make compliant with Canada Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Chile Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Chile Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Chile Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Chile Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Chile Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Chile Regions.
    • Analyze an existing project that you want to make compliant with Chile Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the EU Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select EU Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with EU Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions.
    • Analyze an existing project that you want to make compliant with EU Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the EU Regions and Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using EU Regions and Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select EU Regions and Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with EU Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions and Support.
    • Analyze an existing project that you want to make compliant with EU Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Sovereign Controls for EU control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. Ensure that you understand the Restrictions and limitations associated with Sovereign Controls for EU.
    3. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    4. Ensure that you understand how to get support for Assured Workloads.
    5. Ensure that you understand the additional cost when using Sovereign Controls for EU in Assured Workloads.
    6. Set up Cloud Identity and verify your domain.
    7. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Sovereign Controls for EU

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Sovereign Controls from the drop-down menu.
    6. Select Sovereign Controls for EU from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Sovereign Controls for EU control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Sovereign Controls for EU in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Sovereign Controls for EU.
    • Analyze an existing project that you want to make compliant with Sovereign Controls for EU, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Hong Kong Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Hong Kong Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Hong Kong Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Hong Kong Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Hong Kong Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Hong Kong Regions.
    • Analyze an existing project that you want to make compliant with Hong Kong Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the India Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for India Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select India Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the India Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with India Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for India Regions.
    • Analyze an existing project that you want to make compliant with India Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Indonesia Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Indonesia Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Indonesia Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Indonesia Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Indonesia Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Indonesia Regions.
    • Analyze an existing project that you want to make compliant with Indonesia Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Israel Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Israel Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Israel Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Israel Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Israel Regions.
    • Analyze an existing project that you want to make compliant with Israel Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Israel Regions and Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Israel Regions and Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Israel Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Israel Regions and Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Israel Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Israel Regions and Support.
    • Analyze an existing project that you want to make compliant with Israel Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Japan Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Japan Regions in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Japan Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Japan Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Japan Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Japan Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Japan Regions.
    • Analyze an existing project that you want to make compliant with Japan Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Qatar Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Qatar Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Qatar Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Qatar Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Qatar Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Qatar Regions.
    • Analyze an existing project that you want to make compliant with Qatar Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Singapore Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Singapore Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Singapore Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Singapore Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Singapore Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Singapore Regions.
    • Analyze an existing project that you want to make compliant with Singapore Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the South Africa Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for South Africa Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select South Africa Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the South Africa Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with South Africa Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for South Africa Regions.
    • Analyze an existing project that you want to make compliant with South Africa Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the South Korea Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for South Korea Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select South Korea Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the South Korea Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with South Korea Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for South Korea Regions.
    • Analyze an existing project that you want to make compliant with South Korea Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Sovereign Controls for Kingdom of Saudi Arabia control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Sovereign Controls for Kingdom of Saudi Arabia in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Sovereign Controls for Kingdom of Saudi Arabia

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Sovereign Controls from the drop-down menu.
    6. Select Sovereign Controls for Kingdom of Saudi Arabia from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Sovereign Controls for Kingdom of Saudi Arabia control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • A CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Sovereign Controls for Kingdom of Saudi Arabia in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Sovereign Controls for Kingdom of Saudi Arabia.
    • Analyze an existing project that you want to make compliant with Sovereign Controls for Kingdom of Saudi Arabia, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Switzerland Regions (Preview) control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using Switzerland Regions (Preview) in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Switzerland Regions (Preview)

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Switzerland Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Switzerland Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Switzerland Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Switzerland Regions (Preview).
    • Analyze an existing project that you want to make compliant with Switzerland Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the Taiwan Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Taiwan Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select Taiwan Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Taiwan Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Taiwan Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Taiwan Regions.
    • Analyze an existing project that you want to make compliant with Taiwan Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the UK Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for UK Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select UK Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the UK Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with UK Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for UK Regions.
    • Analyze an existing project that you want to make compliant with UK Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the US Regions control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Set up Cloud Identity and verify your domain.
    5. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for US Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select US Regions from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with US Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for US Regions.
    • Analyze an existing project that you want to make compliant with US Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

  • Before you begin

    If you haven't already, you must complete the following below to create an Assured Workloads folder for the US Regions and Support control package:

    1. Ensure that you understand Assured Workloads concepts.
    2. If Access Transparency is not enabled on your organization, it will automatically be enabled when you create an Assured Workloads folder. Any projects you create or move into the folder will be configured to use Access Transparency.
    3. Ensure that you understand how to get support for Assured Workloads.
    4. Ensure that you understand the additional cost when using US Regions and Support in Assured Workloads.
    5. Set up Cloud Identity and verify your domain.
    6. After Cloud Identity has been configured, create an organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for US Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE to go to the Create an Assured Workloads folder page.
    4. In the step to Add folder details:
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      • In Organization, select the organization in which to create your folder. This location can't be changed later.
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • Click Next.
    5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
    6. Select US Regions and Support from the drop-down menu. See Control packages to learn about other options.
    7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
    8. Review the details about the control option you've selected, and click Next.
    9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
    10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with US Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for US Regions and Support.
    • Analyze an existing project that you want to make compliant with US Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

What's next