Create a new Assured Workloads folder

This page describes how to create a new Assured Workloads folder for each control package.

For more information about Assured Workloads, see the Assured Workloads overview.

Select a control package

Select a control package to learn how to create an Assured Workloads folder:

Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the CJIS control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using CJIS in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for CJIS
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select CJIS from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the CJIS control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with CJIS in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for CJIS.
- Analyze an existing project that you want to make compliant with CJIS, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the FedRAMP Moderate control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. (Optional) Enable Access Transparency for the organization. Access Transparency is not required for FedRAMP Moderate.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for FedRAMP Moderate
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select FedRAMP Moderate from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: FedRAMP Moderate does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP Moderate control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with FedRAMP Moderate in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP Moderate.
- Analyze an existing project that you want to make compliant with FedRAMP Moderate, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the FedRAMP High control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using FedRAMP High in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. (Optional) Enable Access Transparency for the organization. Access Transparency is not required for FedRAMP High.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for FedRAMP High
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select FedRAMP High from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: FedRAMP High does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP High control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with FedRAMP High in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP High.
- Analyze an existing project that you want to make compliant with FedRAMP High, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the HIPAA (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
6. HIPAA (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for HIPAA (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select HIPAA (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: HIPAA (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HIPAA (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with HIPAA (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for HIPAA (Preview).
- Analyze an existing project that you want to make compliant with HIPAA (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the HITRUST (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
6. HITRUST (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for HITRUST (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select HITRUST (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: HITRUST (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HITRUST (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with HITRUST (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for HITRUST (Preview).
- Analyze an existing project that you want to make compliant with HITRUST (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL2 control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using IL2 in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for IL2
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select IL2 from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: IL2 does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL2 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL2 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL2.
- Analyze an existing project that you want to make compliant with IL2, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL4 control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using IL4 in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for IL4
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select IL4 from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL4 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL4 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL4.
- Analyze an existing project that you want to make compliant with IL4, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the IL5 control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using IL5 in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for IL5
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select IL5 from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL5 control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with IL5 in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL5.
- Analyze an existing project that you want to make compliant with IL5, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the ITAR control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand the Restrictions and limitations associated with ITAR.
3. Ensure that you understand how to get support for Assured Workloads.
4. Ensure that you understand the additional cost when using ITAR in Assured Workloads.
5. Set up Cloud Identity and verify your domain.
6. After Cloud Identity has been configured, create an organization.
7. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for ITAR
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regulatory Controls from the drop-down menu.
6. Select ITAR from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the ITAR control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with ITAR in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for ITAR.
- Analyze an existing project that you want to make compliant with ITAR, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Australia Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Australia Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Australia Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Australia Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Australia Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Australia Regions (Preview).
- Analyze an existing project that you want to make compliant with Australia Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Australia Regions with Assured Support control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using Australia Regions with Assured Support in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Australia Regions with Assured Support
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Australia Regions with Assured Support from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Australia Regions with Assured Support does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions with Assured Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Australia Regions with Assured Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Australia Regions with Assured Support.
- Analyze an existing project that you want to make compliant with Australia Regions with Assured Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Brazil Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Brazil Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Brazil Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Brazil Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Brazil Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Brazil Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Brazil Regions (Preview).
- Analyze an existing project that you want to make compliant with Brazil Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Canada Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Canada Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Canada Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Canada Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Canada Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Canada Regions (Preview).
- Analyze an existing project that you want to make compliant with Canada Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Canada Regions and Support control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using Canada Regions and Support in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Canada Regions and Support
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Canada Regions and Support from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Canada Regions and Support does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Canada Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Canada Regions and Support.
- Analyze an existing project that you want to make compliant with Canada Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Chile Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Chile Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Chile Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Chile Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Chile Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Chile Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Chile Regions (Preview).
- Analyze an existing project that you want to make compliant with Chile Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the EU Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for EU Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select EU Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: EU Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with EU Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions (Preview).
- Analyze an existing project that you want to make compliant with EU Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the EU Regions and Support control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using EU Regions and Support in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for EU Regions and Support
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select EU Regions and Support from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: EU Regions and Support does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with EU Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions and Support.
- Analyze an existing project that you want to make compliant with EU Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the EU Regions and Support with Sovereignty Controls control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand the Restrictions and limitations associated with EU Regions and Support with Sovereignty Controls.
3. Ensure that you understand how to get support for Assured Workloads.
4. Ensure that you understand the additional cost when using EU Regions and Support with Sovereignty Controls in Assured Workloads.
5. Set up Cloud Identity and verify your domain.
6. After Cloud Identity has been configured, create an organization.
7. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for EU Regions and Support with Sovereignty Controls
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Sovereign Controls from the drop-down menu.
6. Select EU Regions and Support with Sovereignty Controls from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support with Sovereignty Controls control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with EU Regions and Support with Sovereignty Controls in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions and Support with Sovereignty Controls.
- Analyze an existing project that you want to make compliant with EU Regions and Support with Sovereignty Controls, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the India Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for India Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select India Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: India Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the India Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with India Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for India Regions (Preview).
- Analyze an existing project that you want to make compliant with India Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Indonesia Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Indonesia Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Indonesia Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Indonesia Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Indonesia Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Indonesia Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Indonesia Regions (Preview).
- Analyze an existing project that you want to make compliant with Indonesia Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Israel Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Israel Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Israel Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Israel Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Israel Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Israel Regions (Preview).
- Analyze an existing project that you want to make compliant with Israel Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Israel Regions and Support control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using Israel Regions and Support in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Israel Regions and Support
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Israel Regions and Support from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Israel Regions and Support does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Israel Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Israel Regions and Support.
- Analyze an existing project that you want to make compliant with Israel Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Japan Regions control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using Japan Regions in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Japan Regions
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Japan Regions from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Japan Regions does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Japan Regions control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Japan Regions in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Japan Regions.
- Analyze an existing project that you want to make compliant with Japan Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Singapore Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Singapore Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Singapore Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Singapore Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Singapore Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Singapore Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Singapore Regions (Preview).
- Analyze an existing project that you want to make compliant with Singapore Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the South Korea Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for South Korea Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select South Korea Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: South Korea Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the South Korea Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with South Korea Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for South Korea Regions (Preview).
- Analyze an existing project that you want to make compliant with South Korea Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Switzerland Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Switzerland Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Switzerland Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Switzerland Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Switzerland Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Switzerland Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Switzerland Regions (Preview).
- Analyze an existing project that you want to make compliant with Switzerland Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the Taiwan Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for Taiwan Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select Taiwan Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: Taiwan Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Taiwan Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with Taiwan Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Taiwan Regions (Preview).
- Analyze an existing project that you want to make compliant with Taiwan Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the UK Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for UK Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select UK Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: UK Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the UK Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with UK Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for UK Regions (Preview).
- Analyze an existing project that you want to make compliant with UK Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the US Regions (Preview) control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Set up Cloud Identity and verify your domain.
4. After Cloud Identity has been configured, create an organization.
5. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for US Regions (Preview)
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select US Regions (Preview) from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: US Regions (Preview) does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions (Preview) control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with US Regions (Preview) in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for US Regions (Preview).
- Analyze an existing project that you want to make compliant with US Regions (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Before you begin

If you haven't already, you must complete the following below to create an Assured Workloads folder for the US Regions and Support control package:
1. Ensure that you understand Assured Workloads concepts.
2. Ensure that you understand how to get support for Assured Workloads.
3. Ensure that you understand the additional cost when using US Regions and Support in Assured Workloads.
4. Set up Cloud Identity and verify your domain.
5. After Cloud Identity has been configured, create an organization.
6. Enable Access Transparency for the organization.
Required IAM roles

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

Create an Assured Workloads folder for US Regions and Support
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. If prompted, select your organization.
3. Click CREATE to go to the Create an Assured Workloads folder page.
4. In the step to Add folder details:
  - In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
    Tip: When you name your Assured Workloads folders, consider the following:
    - To identify the folder as an Assured Workloads folder, include a prefix in its name (such as aw-). This identifier can help you locate the folder from a list of other resources.
    - Do not include sensitive data or personally identifiable information (PII) in the folder name.
  - In Organization, select the organization in which to create your folder. This location can't be changed later.
  - In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
  - Click Next.
5. In the step to Choose a control package option, select Regional Controls from the drop-down menu.
6. Select US Regions and Support from the drop-down menu. See Control packages to learn about other options.
7. In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
8. Review the details about the control option you've selected, and click Next.
9. (Optional) In the step to Configure additional settings, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
  Note: US Regions and Support does not require using CMEK; you can click Next to skip this step.
10. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create Folder.
After completing the steps above, Assured Workloads creates the following resources:
- An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions and Support control package. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- If you chose to create one, a CMEK project that contains the configured CMEK key ring.
  Note: Folder creation does not automatically create keys for you. After creating the folder, you must create an encryption key before adding any resources. See Create and obtain a CMEK key to learn more.
Use your new Assured Workloads folder

To start using your Assured Workloads folder, it's important that you put the resources that you want to be compliant with US Regions and Support in the new folder. You can create projects inside of the folder along with resources for supported products, or migrate existing projects. Some possible next steps include the following:
- Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for US Regions and Support.
- Analyze an existing project that you want to make compliant with US Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.
Enabling BigQuery in your folder
If your selected control package lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
1. In the Google Cloud console, go to the Assured Workloads page.
  Go to Assured Workloads
2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates.
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
  
  If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

What's next

Learn about each control package.
Learn which products are supported for each control package.

Create a new Assured Workloads folder

Select a control package

Before you begin

Required IAM roles

Create an Assured Workloads folder for CJIS

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for FedRAMP Moderate

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for FedRAMP High

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for HIPAA (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for HITRUST (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for IL2

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for IL4

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for IL5

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for ITAR

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Australia Regions (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Australia Regions with Assured Support

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Brazil Regions (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Canada Regions (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Canada Regions and Support

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for Chile Regions (Preview)

Use your new Assured Workloads folder

Enabling BigQuery in your folder

Before you begin

Required IAM roles

Create an Assured Workloads folder for EU Regions (Preview)