Create a new Assured Workloads folder

This page describes how to create a new Assured Workloads folder for each compliance program.

For more information about Assured Workloads, see the Assured Workloads overview.

Select a compliance program

Select your desired compliance program to learn how to create an Assured Workloads folder:

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the CJIS compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for CJIS

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select CJIS from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the CJIS compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • A CMEK project that contains the configured CMEK key ring. See Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with CJIS be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for CJIS.
    • Analyze an existing project that you want to make compliant with CJIS, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the FedRAMP Moderate compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. (Optional) Enable Access Transparency for the organization. Access Transparency is not required for FedRAMP Moderate.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP Moderate

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select FedRAMP Moderate from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP Moderate compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with FedRAMP Moderate be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP Moderate.
    • Analyze an existing project that you want to make compliant with FedRAMP Moderate, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the FedRAMP High compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. (Optional) Enable Access Transparency for the organization. Access Transparency is not required for FedRAMP High.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for FedRAMP High

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select FedRAMP High from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the FedRAMP High compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with FedRAMP High be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for FedRAMP High.
    • Analyze an existing project that you want to make compliant with FedRAMP High, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the HIPAA (Preview) compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. HIPAA (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for HIPAA (Preview)

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select HIPAA (Preview) from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HIPAA (Preview) compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with HIPAA (Preview) be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for HIPAA (Preview).
    • Analyze an existing project that you want to make compliant with HIPAA (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the HITRUST (Preview) compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. HITRUST (Preview) is in the Preview launch stage. To request access, you must first enroll by filling out this form.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for HITRUST (Preview)

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select HITRUST (Preview) from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the HITRUST (Preview) compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with HITRUST (Preview) be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for HITRUST (Preview).
    • Analyze an existing project that you want to make compliant with HITRUST (Preview), and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the IL2 compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL2

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select IL2 from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL2 compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with IL2 be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL2.
    • Analyze an existing project that you want to make compliant with IL2, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the IL4 compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL4

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select IL4 from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL4 compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with IL4 be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL4.
    • Analyze an existing project that you want to make compliant with IL4, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the IL5 compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for IL5

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select IL5 from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the IL5 compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with IL5 be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for IL5.
    • Analyze an existing project that you want to make compliant with IL5, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the ITAR compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. Ensure that you understand the Restrictions and limitations associated with ITAR.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for ITAR

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select ITAR from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the ITAR compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with ITAR be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for ITAR.
    • Analyze an existing project that you want to make compliant with ITAR, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Australia Regions with Assured Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Australia Regions with Assured Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Australia.
    6. Select Australia Regions with Assured Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Australia Regions with Assured Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with Australia Regions with Assured Support be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Australia Regions with Assured Support.
    • Analyze an existing project that you want to make compliant with Australia Regions with Assured Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Canada Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Canada Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Canada.
    6. Select Canada Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Canada Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with Canada Regions and Support be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Canada Regions and Support.
    • Analyze an existing project that you want to make compliant with Canada Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the EU Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select European Union.
    6. Select EU Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with EU Regions and Support be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions and Support.
    • Analyze an existing project that you want to make compliant with EU Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the EU Regions and Support with Sovereignty Controls compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.
    5. Ensure that you understand the Restrictions and limitations associated with EU Regions and Support with Sovereignty Controls.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for EU Regions and Support with Sovereignty Controls

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select European Union.
    6. Select EU Regions and Support with Sovereignty Controls from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. In the step to Configure key management, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the EU Regions and Support with Sovereignty Controls compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with EU Regions and Support with Sovereignty Controls be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for EU Regions and Support with Sovereignty Controls.
    • Analyze an existing project that you want to make compliant with EU Regions and Support with Sovereignty Controls, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Israel Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Israel Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Israel.
    6. Select Israel Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Israel Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with Israel Regions and Support be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Israel Regions and Support.
    • Analyze an existing project that you want to make compliant with Israel Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the Japan Regions compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for Japan Regions

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select Japan.
    6. Select Japan Regions from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the Japan Regions compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with Japan Regions be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for Japan Regions.
    • Analyze an existing project that you want to make compliant with Japan Regions, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

  • Before you begin

    If you haven't already, you must complete the steps below to create an Assured Workloads folder for the US Regions and Support compliance program:

    1. Ensure that you understand Assured Workloads concepts.
    2. Set up Cloud Identity and verify your domain.
    3. After Cloud Identity has been configured, create an organization.
    4. Enable Access Transparency for the organization.

    Required IAM roles

    To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

    Create an Assured Workloads folder for US Regions and Support

    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. If prompted, select your organization.
    3. Click CREATE.
    4. From the Create an Assured Workloads folder steps, ensure that you've met the necessary prerequisites and click Next.
    5. In the step to Select compliance type, from the Origin of compliance type, select United States.
    6. Select US Regions and Support from the list, and click Next.
    7. In the step to Select region, select your desired region or multi-region. See the Locations page for more information about supported regions.
    8. Click Next.
    9. In the step to Configure your folder:
      • In Folder location, select the location in the resource hierarchy where the folder will be created. An Assured Workloads folder can be created as a child of an organization or of another folder.
      • In Folder name, enter a unique name for the folder, such as aw-my-folder-name. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens.
      Click Next.
    10. (Optional) In the step to Configure key management, you can create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). This step does not create the keys themselves; Assured Workloads does not automatically create any cryptographic keys for you. See Supporting compliance with key management for more information.
      • In the Key ring name field, enter the name of the new key ring.
      • In the Project name field, enter the name of the new CMEK project to create (Optional). If no project name is specified, the project name will be automatically set to cmek-FOLDER_NAME. For example, if your Assured Workloads folder is aw-my-folder-name, the CMEK project will automatically be called cmek-aw-my-folder-name. Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • In the Project ID field, enter the ID of the project to create for your encryption keys (Optional). Do not include sensitive data or personally identifiable information (PII) in the project ID.
      • Select the billing account that's associated with your Google Cloud organization.
      Click Next.
    11. In the step to Review and create folder, review the details about your new Assured Workloads folder and ensure that they are correct. Then, click Create.

    After completing the steps above, Assured Workloads creates the following resources:

    • An Assured Workloads folder, which enforces security controls on supported Google Cloud products to adhere with the US Regions and Support compliance program. These security controls include setting an organization policy that restricts resource usage to only those supported products.
    • If you chose to create one, a CMEK project that contains the configured CMEK key ring. If you use CMEK, see Create and obtain a CMEK key to learn more.

    Use your new Assured Workloads folder

    To start using your Assured Workloads folder, it's important that any resources that you want to be compliant with US Regions and Support be placed in the new folder. You can create projects inside of it along with resources for supported products, or migrate existing projects:

    • Create a new project in the newly-created Assured Workloads folder, and then create a Compute Engine VM inside the project. The VM instance will be configured to meet the compliance requirements for US Regions and Support.
    • Analyze an existing project that you want to make compliant with US Regions and Support, and make any of the required changes. Then, move the project to the newly-created Assured Workloads folder.

    Enabling BigQuery in your folder

    If your selected compliance program lists BigQuery as a supported service, BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates.
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

What's next