Enforce Confidential VM use

To make sure all VMs created in your organization are Confidential VM instances, you can use an organization policy constraint.

Required roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you the Organization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, see Manage access.

This predefined role contains the permissions required to manage organization policies. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to manage organization policies:

  • orgpolicy.constraints.list
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

You might also be able to get these permissions with custom roles or other predefined roles.

Enable the constraint

To enable the constraint on VM instances, complete the following instructions:

Console

  1. In the Google Cloud console, go to the Organization policies page:

    Go to Organization policies

  2. Click the switcher box at the top of the page, and choose the organization to apply the constraint to. To apply the constraint to a project, select a project instead.

  3. In the filter box, enter restrict non-confidential computing, and then click the Restrict Non-Confidential Computing policy.

  4. On the Policy details page for Restrict Non-Confidential Computing, click Manage policy.

  5. In the Applies to section, click Customize.

  6. In the Policy enforcement section, choose one of the following options:

    • Merge with parent. Merge your new policy setting with that of a parent organization.

    • Replace. Replace the current policy setting and ignore that of the parent organization.

  7. In the Rules section, click Add a rule.

  8. In the Policy values box, select Custom, and set the Policy type to Deny.

  9. In the Custom values box, enter compute.googleapis.com as the API service name you want to enforce the policy on.

  10. Click Done.

  11. Click Set policy.

gcloud

gcloud resource-manager org-policies deny \
    constraints/compute.restrictNonConfidentialComputing compute.googleapis.com \
    --organization=ORGANIZATION_ID

Provide the following value:

  • ORGANIZATION_ID: The ID of the organization to add the constraint to.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To apply the constraint at the project level instead of the organization level, use --project=PROJECT_ID instead of --organization=ORGANIZATION_ID.

Alternatively, you can set policies with a policy file using set-policy commands.

Verify the constraint

To verify the constraint:

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Click the project selector at the top of the page, and choose a project to create a VM in.

  3. Click Create instance.

  4. In the Confidential VM service section, verify that your policy is enforced.

Disable the constraint

To disable the constraint, complete the following instructions:

Console

  1. In the Google Cloud console, go to the Organization policies page:

    Go to Organization policies

  2. Click the switcher box at the top of the page, and choose the organization to apply the constraint to. To apply the constraint to a project, select a project instead.

  3. In the filter box, enter restrict non-confidential computing, and then click the Restrict Non-Confidential Computing policy.

  4. On the Policy details page for Restrict Non-Confidential Computing, click Manage policy.

  5. Click the rule to expand it.

  6. In the Policy values box, select Allow all, and then click Done.

  7. Click Set policy.

gcloud

gcloud resource-manager org-policies delete \
    constraints/compute.restrictNonConfidentialComputing \
    --organization=ORGANIZATION_ID

Provide the following value:

  • ORGANIZATION_ID: The ID of the organization to delete the constraint from.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To delete the constraint at the project level instead of the organization level, use --project=PROJECT_ID instead of --organization=ORGANIZATION_ID.

Alternatively, you can set policies with a policy file using set-policy commands.

What's next

To learn more about the core concepts of organization policy: