The Organization Policy Service gives customers centralized and programmatic control to set restrictions on their organization's resources. Each type of restriction is defined as a constraint, and is conceptually similar to a blueprint that defines what behaviors are controlled. Creating and maintaining organization policies can be complicated, as the requirements for security and compliance change over time.
Organization Policy recommender helps you secure your Google Cloud resources without disrupting customer systems. It analyzes existing organization policy configurations and generates recommendations for which organization policies to enforce.
Overview of organization policy recommendations
Organization policy recommendations are generated by the Organization Policy recommender. The Organization Policy recommender is one of the recommenders that Recommender offers.
Each organization policy recommendation suggests that you set a particular organization policy to improve the security of your Google Cloud resources. An organization policy is built from a constraint, which is a configuration of restrictions on a Google Cloud service.
The Organization Policy recommender uses organization policy insights to identify organization policies that aren't set. Organization policy insights are findings regarding the enforcement status of an organization policy constraint on your resources, and whether your resources are in violation of that organization policy.
A resource is considered in violation of an organization policy if it's in a
state that is restricted by that organization policy. For example, the
iam.managed.disableServiceAccountKeyCreation constraint lets you restrict the
creation of service account keys. If a service account key has been created in a
project, the Organization Policy Service considers that project to be in violation of that
organization policy.
How insights and recommendations are generated
A recommendation is a suggestion for optimizing your usage of Google Cloud resources. It includes the steps required to take action on the recommendation, and is created using logs and analysis of your resource configurations to address vulnerabilities identified by the insight.
Insights are findings that you can use to proactively focus on important patterns in resource usage, and contain the context needed to create a recommendation.
Organization Policy recommender generates recommendations at the highest possible level in the resource hierarchy. For example, if there are no violations of a supported constraint in any projects under a folder, Organization Policy recommender generates the recommendation for that folder, instead of providing recommendations for the projects.
Supported constraints
Each recommendation is specific to a particular organization policy constraint.
Service account key creation
By default, users with the appropriate permissions can
create service account keys. However, service
account keys are a security risk if not managed correctly. Using the
iam.managed.disableServiceAccountKeyCreation organization policy constraint,
you can disable the creation of new external service account keys for all
service accounts under a project, folder, or organization.
Organization Policy recommender checks the existence of Identity and Access Management (IAM) user-managed service accounts and external keys of these service accounts to evaluate whether they violate the restrictions on service account key creation.
If there are no created service account keys, Organization Policy recommender
generates a recommendation to enforce the
iam.managed.disableServiceAccountKeyCreation constraint and supporting
details of the recommendation in the corresponding insights.
Insights related to the iam.managed.disableServiceAccountKeyCreation
constraint have the subtype ADD_POLICY_DISABLE_SERVICE_ACCOUNT_KEY_CREATION.
Service account key upload
Users can upload the public key portion of a
user-managed key pair to associate it with a service account. After they upload
the public key, they can use the private key from the key pair as a service
account key. Using the iam.managed.disableServiceAccountKeyUpload organization
policy constraint, you can disable the upload of external public keys to service
accounts under a project, folder, or organization.
If there are no uploaded service account keys, Organization Policy recommender
generates a recommendation to enforce the
iam.managed.disableServiceAccountKeyUpload constraint and supporting details
of the recommendation in the corresponding insights.
Insights for the iam.managed.disableServiceAccountKeyUpload have the
subtype ADD_POLICY_DISABLE_SERVICE_ACCOUNT_KEY_UPLOAD.
Priority and severity
Recommendation priority and insight severity help you understand the urgency of a recommendation or insight and prioritize accordingly.
Organization policy recommendation priority
A recommendation is assigned a priority level based its perceived urgency.
Priority levels range from P1 (highest priority) to P4 (lowest priority).
All organization policy recommendations have a priority of P1.
Organization policy recommendation severity
Insights are assigned severity levels based their perceived urgency. Severity
levels can be LOW, MEDIUM, HIGH, or CRITICAL.
All organization policy insights have a severity of HIGH.
How recommendations are applied
The Organization Policy recommender does not apply recommendations automatically. Instead, you must review your recommendations and decide whether to apply or dismiss them. To learn how to review, apply, and dismiss role recommendations, see Review and apply organization policy recommendations.
Audit logging
When you apply or dismiss a recommendation, the Organization Policy recommender creates a log entry. You can view them in your Google Cloud audit logs.
Pricing
Organization policy recommendations for managed constraints are available at no charge.
For more information, see Billing questions.
What's next
Learn more about Recommender.
Learn more about managed constraints in organization policy.