이 페이지에서는 Assured Workloads 폴더의 비준수 리소스에 대한 제한사항을 사용 설정 또는 사용 중지하는 방법을 설명합니다. 기본적으로 각 폴더의 제어 패키지에 따라 지원되는 제품이 달라지고 사용할 수 있는 리소스도 달라집니다. 이 기능은 폴더가 생성되면 폴더에 자동으로 적용되는 gcp.restrictServiceUsage 조직 정책 제약조건에 의해 적용됩니다.
시작하기 전에
필요한 IAM 역할
리소스 사용량 제한을 수정하려면 호출자에게 더 광범위한 권한 집합이 포함된 사전 정의된 역할이나 필요한 최소 권한으로 제한된 커스텀 역할을 사용하여 Identity and Access Management(IAM) 권한을 부여해야 합니다.
TOKEN: 요청의 인증 토큰입니다(예: ya29.a0AfB_byDnQW7A2Vr5...tanw0427).
환경에 Google Cloud SDK가 설치되어 있고 인증되어 있으면 gcloud auth print-access-token 명령어 -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \를 사용할 수 있습니다.
SERVICE_ENDPOINT: 원하는 서비스 엔드포인트입니다(예: https://us-central1-assuredworkloads.googleapis.com).
ORGANIZATION_ID: Google Cloud 조직의 고유 식별자입니다(예: 12321311)
WORKLOAD_LOCATION: 워크로드의 위치입니다(예: us-central1).
WORKLOAD_ID: 워크로드의 고유 식별자입니다(예: 00-c25febb1-f3c1-4f19-8965-a25).
TOKEN: 요청의 인증 토큰입니다(예: ya29.a0AfB_byDnQW7A2Vr5...tanw0427).
환경에 Google Cloud SDK가 설치되어 있고 인증되어 있으면 gcloud auth print-access-token 명령어 -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \를 사용할 수 있습니다.
SERVICE_ENDPOINT: 원하는 서비스 엔드포인트입니다(예: https://us-central1-assuredworkloads.googleapis.com).
ORGANIZATION_ID: Google Cloud 조직의 고유 식별자입니다(예: 12321311)
WORKLOAD_LOCATION: 워크로드의 위치입니다(예: us-central1).
WORKLOAD_ID: 워크로드의 고유 식별자입니다(예: 00-c25febb1-f3c1-4f19-8965-a25).
이 섹션의 표에는 다양한 제어 패키지에 대해 지원되는 제품과 지원되지 않는 제품이 포함되어 있습니다. 기본 리소스 사용량 제한을 사용 설정하면 지원되는 제품만 사용할 수 있습니다. 리소스 사용량 제한을 사용 중지하면 지원되는 제품과 지원되지 않는 제품을 모두 사용할 수 있습니다.
FedRAMP 중간 수준
엔드포인트
지원되는 제품
지원되지 않는 제품
aiplatform.googleapis.com
Vertex AI
AI Platform Training API 및 Prediction API
FedRAMP High
엔드포인트
지원되는 제품
지원되지 않는 제품
compute.googleapis.com
Compute Engine
Persistent Disk
AI Platform Training API 및 Prediction API
Cloud CDN
Virtual Private Cloud
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
네트워크 서비스 등급
형사사법정보부(CJIS)
엔드포인트
지원되는 제품
지원되지 않는 제품
accesscontextmanager.googleapis.com
VPC 서비스 제어
Access Context Manager
compute.googleapis.com
Virtual Private Cloud
Persistent Disk
Compute Engine
Cloud CDN
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
네트워크 서비스 등급
cloudkms.googleapis.com
Cloud Key Management Service
Cloud HSM
영향 수준 4(IL4)
엔드포인트
지원되는 제품
지원되지 않는 제품
compute.googleapis.com
Compute Engine
Persistent Disk
AI Platform Training API 및 Prediction API
Cloud CDN
Virtual Private Cloud
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
네트워크 서비스 등급
cloudkms.googleapis.com
Cloud Key Management Service
Cloud HSM
미국 리전 및 지원
엔드포인트
지원되는 제품
지원되지 않는 제품
accesscontextmanager.googleapis.com
VPC 서비스 제어
Access Context Manager
compute.googleapis.com
Virtual Private Cloud
Persistent Disk
Compute Engine
Cloud CDN
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
네트워크 서비스 등급
cloudkms.googleapis.com
Cloud Key Management Service
Cloud HSM
서비스 엔드포인트
이 섹션에는 리소스 사용량 제한을 사용 설정한 후에도 차단되지 않은 API 엔드포인트가 나와 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2024-12-21(UTC)"],[[["\u003cp\u003eThis document explains how to enable or disable resource usage restrictions for non-compliant resources in Assured Workloads folders, which is enforced by the \u003ccode\u003egcp.restrictServiceUsage\u003c/code\u003e organization policy constraint.\u003c/p\u003e\n"],["\u003cp\u003eTo modify resource usage restrictions, users need specific IAM permissions, such as \u003ccode\u003eassuredworkloads.workload.update\u003c/code\u003e and \u003ccode\u003eorgpolicy.policy.set\u003c/code\u003e, typically granted through the "Assured Workloads Administrator" or "Assured Workloads Editor" roles.\u003c/p\u003e\n"],["\u003cp\u003eResource usage restrictions can be enabled to allow only compliant resources based on the control package's supported services or disabled to allow all GCP resources, using specific curl commands and replacing placeholder values with the user's unique token, service endpoint, organization ID, workload location, and workload ID.\u003c/p\u003e\n"],["\u003cp\u003eDifferent control packages (FedRAMP Moderate, FedRAMP High, CJIS, IL4, US Regions) have different supported and unsupported products, which are detailed in tables within this document.\u003c/p\u003e\n"],["\u003cp\u003eCertain API endpoints remain accessible even when resource usage restrictions are enabled, including Cloud Asset API, Cloud Logging API, Service Control, Cloud Monitoring API, and others as listed.\u003c/p\u003e\n"]]],[],null,["# Restrict resource usage for workloads\n=====================================\n\nThis page explains how to enable or disable restrictions for non-compliant\nresources in Assured Workloads folders. By default, each folder's\ncontrol package determines which\n[products are supported](/assured-workloads/docs/supported-products), thus\ndetermining which resources can be used. This functionality is enforced by the\n[`gcp.restrictServiceUsage` organization policy constraint](/resource-manager/docs/organization-policy/restricting-resources)\nthat is automatically applied on the folder when it is created.\n\nBefore you begin\n----------------\n\n### Required IAM roles\n\nTo modify resource usage restrictions, the caller must be granted\nIdentity and Access Management (IAM) permissions using either a\n[predefined role](/iam/docs/understanding-roles#predefined) that includes a\nwider set of permissions, or a\n[custom role](/iam/docs/understanding-roles#custom_roles) that is restricted to\nthe minimum necessary permissions.\n\nThe following permissions are required on the target\n[workload](/assured-workloads/docs/reference/rest/Shared.Types/Workload):\n\n- `assuredworkloads.workload.update`\n- `orgpolicy.policy.set`\n\nThese permissions are included in the following two roles:\n\n- **Assured Workloads Administrator** (`roles/assuredworkloads.admin`)\n- **Assured Workloads Editor** (`roles/assuredworkloads.editor`)\n\nSee [IAM roles](/assured-workloads/docs/iam-roles) for more\ninformation about roles for Assured Workloads.\n\nEnable resource usage restrictions\n----------------------------------\n\nTo enable resource usage restriction for a workload, run the following command.\nThis command applies restrictions on the Assured Workloads folder in\naccordance with the control package's supported services: \n\n curl -d '{ \"restrictionType\": \"ALLOW_COMPLIANT_RESOURCES\" }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer \u003cvar translate=\"no\"\u003eTOKEN\u003c/var\u003e\" -X POST \\\n \"\u003cvar translate=\"no\"\u003eSERVICE_ENDPOINT\u003c/var\u003e/v1/organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eWORKLOAD_LOCATION\u003c/var\u003e/workloads/\u003cvar translate=\"no\"\u003eWORKLOAD_ID\u003c/var\u003e:restrictAllowedServices\"\n\nReplace the following placeholder values with your own:\n\n- \u003cvar translate=\"no\"\u003eTOKEN\u003c/var\u003e: The authentication token for the request, for example:\n `ya29.a0AfB_byDnQW7A2Vr5...tanw0427`\n\n If you have the Google Cloud SDK installed in your environment and are\n authenticated, you can use the `gcloud auth print-access-token` command:\n `-H \"Authorization: Bearer $(gcloud auth print-access-token)\" -X POST \\`\n- \u003cvar translate=\"no\"\u003eSERVICE_ENDPOINT\u003c/var\u003e: The desired\n [service endpoint](/assured-workloads/docs/reference/rest#service-endpoint),\n for example:\n `https://us-central1-assuredworkloads.googleapis.com`\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The unique identifier of the Google Cloud\n organization, for example: `12321311`\n\n- \u003cvar translate=\"no\"\u003eWORKLOAD_LOCATION\u003c/var\u003e: The location of the workload, for example:\n `us-central1`\n\n- \u003cvar translate=\"no\"\u003eWORKLOAD_ID\u003c/var\u003e: The unique identifier of the workload, for example:\n `00-c25febb1-f3c1-4f19-8965-a25`\n\nAfter you replace the placeholder values, your request should look similar to the\nfollowing example: \n\n curl -d '{ \"restrictionType\": \"ALLOW_COMPLIANT_RESOURCES\" }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427\" -X POST \\\n \"https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices\"\n\nIf successful, the response will be empty.\n\nDisable resource usage restriction\n----------------------------------\n\nTo disable resource usage restriction for a workload, run the following command.\nThis command effectively removes all service and resource restrictions on the\nAssured Workloads folder: \n\n curl -d '{ \"restrictionType\": \"ALLOW_ALL_GCP_RESOURCES\" }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer \u003cvar translate=\"no\"\u003eTOKEN\u003c/var\u003e\" -X POST \\\n \"\u003cvar translate=\"no\"\u003eSERVICE_ENDPOINT\u003c/var\u003e/v1/organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eWORKLOAD_LOCATION\u003c/var\u003e/workloads/\u003cvar translate=\"no\"\u003eWORKLOAD_ID\u003c/var\u003e:restrictAllowedServices\"\n\nReplace the following placeholder values with your own:\n\n- \u003cvar translate=\"no\"\u003eTOKEN\u003c/var\u003e: The authentication token for the request, for example:\n `ya29.a0AfB_byDnQW7A2Vr5...tanw0427`\n\n If you have the Google Cloud SDK installed in your environment and are\n authenticated, you can use the `gcloud auth print-access-token` command:\n `-H \"Authorization: Bearer $(gcloud auth print-access-token)\" -X POST \\`\n- \u003cvar translate=\"no\"\u003eSERVICE_ENDPOINT\u003c/var\u003e: The desired\n [service endpoint](/assured-workloads/docs/reference/rest#service-endpoint),\n for example:\n `https://us-central1-assuredworkloads.googleapis.com`\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The unique identifier of the Google Cloud\n organization, for example: `12321311`\n\n- \u003cvar translate=\"no\"\u003eWORKLOAD_LOCATION\u003c/var\u003e: The location of the workload, for example:\n `us-central1`\n\n- \u003cvar translate=\"no\"\u003eWORKLOAD_ID\u003c/var\u003e: The unique identifier of the workload, for example:\n `00-c25febb1-f3c1-4f19-8965-a25`\n\nAfter you replace the placeholder values, your request should look similar to the\nfollowing example: \n\n curl -d '{ \"restrictionType\": \"ALLOW_ALL_GCP_RESOURCES\" }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427\" -X POST \\\n \"https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices\"\n\nIf successful, the response will be empty.\n\nSupported and unsupported products\n----------------------------------\n\nThe tables in this section include supported and unsupported products for\nvarious control packages. If you enable the default resource usage\nrestrictions, then only the supported products can be used. If you disable\nresource usage restrictions, then both supported and unsupported products can be\nused.\n\n### Data Boundary for FedRAMP Moderate\n\n### Data Boundary for FedRAMP High\n\n### Data Boundary for Criminal Justice Information Services (CJIS)\n\n### Data Boundary for Impact Level 4 (IL4)\n\n### US Data Boundary and Support\n\nService endpoints\n-----------------\n\nThis section lists the API endpoints that aren't blocked after you enable\nresource usage restriction. \n\nWhat's next\n-----------\n\n- See the [list of services that don't support resource usage restriction](/resource-manager/docs/organization-policy/restricting-resources-unsupported-services).\n- Learn which [products are supported](/assured-workloads/docs/supported-products) for each control package."]]
