Organization Policy Constraints

Available constraints

You can specify policies that use the following constraints. More constraints are under development.

Service(s) Constraint Description Supported Prefixes
Compute Engine Disable Guest Attributes of Compute Engine metadata This boolean constraint disables Compute Engine API access to the Guest Attributes of Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, the Compute Engine API can be used to access Compute Engine VM guest attributes.

constraints/compute.disableGuestAttributesAccess
"is:"
Disable VM nested virtualization This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.

constraints/compute.disableNestedVirtualization
"is:"
Disable VM serial port access This boolean constraint disables serial port access to Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, customers can enable serial port access for Compute Engine VMs on a per-VM or per-project basis using metadata attributes. Enforcing this constraint will disable serial port access for Compute Engine VMs, regardless of the metadata attributes.

constraints/compute.disableSerialPortAccess
"is:"
Disable VM serial port logging to Stackdriver This boolean constraint disables serial port logging to Stackdriver from Compute Engine VMs belonging to the organization, project, or folder where this constraint is being enforced.
By default, serial port logging for Compute Engine VMs is disabled, and can be selectively enabled on a per-VM or per-project basis using metadata attributes. When enforced, this constraint disables serial port logging for new Compute Engine VMs whenever a new VM is created, as well as preventing users from changing the metadata attribute of any VMs (old or new) to True.
constraints/compute.disableSerialPortLogging
"is:"
Shielded VMs This boolean constraint, when set to True, requires that all new Compute Engine VM instances use Shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled. Secure Boot can be disabled after creation, if desired. Existing running instances will continue to work as usual.
By default, Shielded VM features do not need to be enabled in order to create Compute Engine VM instances. Shielded VM features add verifiable integrity and exfiltration resistance to your VMs.
constraints/compute.requireShieldedVm
"is:"
Skip default network creation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.

constraints/compute.skipDefaultNetworkCreation
"is:"
Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots) This list constraint defines a set of projects that are allowed to use Compute Engine's storage resources. By default, anyone with appropriate Cloud IAM permissions can access Compute Engine resources. When using this constraint, users must have Cloud IAM permissions, and they must not be restricted by the constraint to access the resource.
Projects, folders, and organizations specified in allowed or denied lists must be in the form: under:projects/PROJECT_ID, under:folders/FOLDER_ID, under:organizations/ORGANIZATION_ID.

constraints/compute.storageResourceUseRestrictions
"is:", "under:"
Define trusted image projects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine.
By default, instances can be created from images in any project that shares images publicly or explicitly with the user.
The allowed/denied list of publisher projects must be strings in the form: projects/PROJECT_ID. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

constraints/compute.trustedImageProjects
"is:"
Define allowed external IPs for VM instances This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses.
By default, all VM instances are allowed to use external IP addresses.
The allowed/denied list of VM instances must be identified by the VM instance name, in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE

constraints/compute.vmExternalIpAccess
"is:"
Cloud Identity and Access Management Domain restricted sharing BETA: This list constraint defines the set of members that can be added to Cloud IAM policies.
By default, all user identities are allowed to be added to Cloud IAM policies.
The allowed/denied list must specify one or more Cloud Identity or G Suite customer IDs. If this constraint is active, only identities in the allowed list will be eligible to be added to Cloud IAM policies.

constraints/iam.allowedPolicyMemberDomains
"is:"
Disable service account creation BETA: This boolean constraint disables the creation of service accounts where this constraint is set to `True`.
By default, service accounts can be created by users based on their Cloud IAM roles and permissions.

constraints/iam.disableServiceAccountCreation
"is:"
Disable service account key creation BETA: This boolean constraint disables the creation of service account external keys where this constraint is set to `True`.
By default, service account external keys can be created by users based on their Cloud IAM roles and permissions.

constraints/iam.disableServiceAccountKeyCreation
"is:"
Resource Manager Restrict shared VPC project lien removal This boolean constraint restricts the set of users that can remove a Shared VPC project lien without organization-level permission where this constraint is set to True.
By default, any user with the permission to update liens can remove a Shared VPC project lien. Enforcing this constraint requires that permission be granted at the organization level.

constraints/compute.restrictXpnProjectLienRemoval
"is:"
Google Cloud Platform Define allowed APIs and services This list constraint defines the set of services and their APIs that can be enabled on this resource and below.
By default, all services are allowed.
The denied list of services must be identified as the string name of an API, and can only include explicitly denied values from the list below. Explicitly allowing APIs is not currently supported. Explicitly denying APIs not in this list will result in an error.
Enforcement of this constraint is not retroactive. If a service is already enabled on a resource when this constraint is enforced, it will remain enabled.

constraints/serviceuser.services
"is:"
Google Cloud Platform - Resource Location Restriction BETA: This list constraint defines the set of locations where location-based GCP resources can be created. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1, or individual zones such as europe-west1-b as allowed or denied locations. Every location to be allowed or denied must be listed explicitly. Allowing or denying a multi-region or region does not imply that all included sub-locations should also be allowed or denied. For example, if the policy denies the us-east1 region, resources can still be created in the zonal location us-east1-a. To include sub-locations, use the in: prefix. For example, allowing in:us-east1-locations allows all of the locations that exist within us-east1.
You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group.
If the suggested_value field is used in a location policy, it should be a region or a zone. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. If the value specified is a zone, a UI for a regional resource may pre-populate the region enclosing the zone.
By default, resources can be created in any location.
constraints/gcp.resourceLocations
"is:", "in:"
Cloud Storage Enforce Bucket Policy Only BETA: This boolean constraint requires buckets to use Bucket Policy Only where this constraint is set to True. Any new bucket in the Organization resource must have Bucket Policy Only enabled, and no existing bucket in the organization resource can disable Bucket Policy Only.
Enforcement of this constraint is not retroactive: existing buckets with Bucket Policy Only disabled continue to have it disabled. The default value for this constraint is False.
Bucket Policy Only disables the evaluation of ACLs assigned to Cloud Storage objects in the bucket. Consequently, only IAM policies grant access to objects in these buckets.
NOTE: certain GCP services which export to Cloud Storage cannot export to buckets which have Bucket Policy Only enabled. This may include services such as Stackdriver, Compute Engine exports of usages reports or custom images, Cloud Audit Logging, Firebase GCP Integration, Cloud SQL, Cloud Billing, and Datastore.

constraints/storage.bucketPolicyOnly
"is:"
Retention policy duration in seconds This list constraint defines the set of durations for retention policies that can be set on Cloud Storage buckets.
By default, if no organization policy is specified, a Cloud Storage bucket can have a retention policy of any duration.
The list of allowed durations must be specified as a positive integer value greater than zero, representing the retention policy in seconds.
Any insert, update, or patch operation on a bucket in the organization resource must have a retention policy duration that matches the constraint.
Enforcement of this constraint is not retroactive. When a new organization policy is applied, the retention policy of existing buckets remain unchanged and valid.

constraints/storage.retentionPolicySeconds
"is:"

How-to guides

For more information about how to use individual constraints:

Constraint How-to guide
constraints/compute.vmExternalIpAccess Disabling external IP access for VMs
constraints/compute.trustedImageProjects Restricting access to images
constraints/iam.allowedPolicyMemberDomains (Beta) Restricting identities by domain
constraints/iam.disableServiceAccountKeyCreation (Beta) Restricting service account key creation
constraints/iam.disableServiceAccountCreation (Beta) Restricting service account creation
constraints/storage.bucketPolicyOnly (Beta) Setting Organization Policies in Cloud Storage
constraints/storage.retentionPolicySeconds Setting Organization Policies in Cloud Storage
constraints/gcp.resourceLocations Restricting Resource Locations

Learn more

To learn more about the core concepts of organization policy:

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Resource Manager Documentation