The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you can configure constraints across your entire resource hierarchy.
Benefits
- Centralize control to configure restrictions on how your organization's resources can be used.
- Define and establish guardrails for your development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without worry of breaking compliance.
Common use cases
Organization policies allow you to do the following:
- Limit resource sharing based on domain.
- Limit the usage of Identity and Access Management (IAM) service accounts.
- Restrict the physical location of newly created resources.
There are many more constraints that give you fine-grained control of your organization's resources. For more information, see the list of all Organization Policy Service constraints.
Differences from Identity and Access Management
Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.
Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.
How organization policy works
An organization policy configures a single constraint that restricts one or more Google Cloud services. The organization policy is set on an organization, folder, or project resource to enforce the constraint on that resource and any child resources.
An organization policy contains one or more rules that specify how, and
whether, to enforce the constraint. For example, an organization policy could
contain one rule that enforces the constraint only on resources tagged
environment=development
, and another rule that prevents the constraint from
being enforced on other resources.
Descendants of the resource to which the organization policy is attached inherit the organization policy. By applying an organization policy to the organization resource, the organization policy administrator can control enforcement of that organization policy and configuration of restrictions across your organization.
Constraints
A constraint is a particular type of restriction against a
Google Cloud service or a list
of Google Cloud services. Think of the constraint as a blueprint that
defines what behaviors are controlled. For example, you can restrict project
resources from accessing Compute Engine storage resources using the
compute.storageResourceUseRestrictions
constraint.
This blueprint is then applied to a resource in your resource hierarchy as an organization policy, which implements the rules defined in the constraint. The Google Cloud service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.
An organization policy is defined in a YAML or JSON file by the constraint it enforces, and optionally by the conditions under which the constraint are enforced. Each organization policy enforces exactly one constraint in active mode, dry-run mode, or both.
A constraint has an enforcement type of list or boolean, which determines the values that can be used for checking enforcement. The enforcing Google Cloud service will evaluate the constraint type and value to determine restriction.
List constraints
A list constraint allows or disallows a list of values that is defined in an
organization policy. This list of values is expressed as a hierarchy subtree
string. The subtree string specifies the type of resource it applies to. For
example, the list constraint constraints/compute.trustedImageProjects
takes
a list of project IDs in the form of projects/PROJECT_ID
.
Values can be given a prefix in the form prefix:value
for constraints that
support them, which gives the value additional meaning:
is:
- applies a comparison against the exact value. This is the same behavior as not having a prefix, and is required when the value includes a colon.under:
- applies a comparison to the value and all of its child values. If a resource is allowed or denied with this prefix, its child resources are also allowed or denied. The value provided must be the ID of an organization, folder, or project resource.in:
- applies a comparison to all resources that include this value. For example, you can addin:us-locations
to the denied list of theconstraints/gcp.resourceLocations
constraint to block all locations that are included in theus
region.
If no list of values is provided, or the organization policy is set to the Google-managed default, then the default behavior of the constraint takes effect, which either allows all values or denies all values.
The following organization policy enforces a constraint that allows the
Compute Engine VM instances vm-1
and vm-2
in organizations/1234567890123
to access external IP addresses:
name: organizations/1234567890123/policies/compute.vmExternalIpAccess
spec:
rules:
- values:
allowedValues:
- is:projects/project_a/zones/us-central1-a/instances/vm-1
- is:projects/project_b/zones/us-central1-a/instances/vm-2
Boolean constraints
A boolean constraint is either enforced or not enforced. For example, the
predefined constraint constraints/compute.disableSerialPortAccess
has two
possible states:
- Enforced - the constraint is enforced, and serial port access is not allowed.
- Not enforced - the
disableSerialPortAccess
constraint is not enforced or checked, so serial port access is allowed.
If the organization policy is set to the Google-managed default, then the default behavior for the constraint takes effect.
The following organization policy enforces a constraint that disables the
creation of external service accounts in organizations/1234567890123
:
name: organizations/1234567890123/policies/iam.disableServiceAccountCreation
spec:
rules:
- enforce: true
Custom organization policies
Custom organization policies can allow or restrict resource creation and updates in the same way that predefined organization policies do, but allow administrators to configure conditions based on request parameters and other metadata. You can use Policy Intelligence tools to test and analyze your custom organization policies.
You can create custom organization policies with constraints that restrict
operations on certain service resources, such as Dataproc NodePool
resources. For a list of service resources that support custom constraints, see
Custom constraint supported services.
To learn more about using custom organization policies, see Creating and managing custom organization policies.
Managed constraints
Managed constraints are predefined constraints that have been built on the custom organization policy platform. The custom organization policy platform allows for organization policies to be designed with more flexibility, and with greater insight from Policy Intelligence tools.
To learn more about using managed constraints, see Using constraints.
Organization policies in dry-run mode
An organization policy in dry-run mode is created and enforced similarly to other organization policies, and violations of the policy are audit-logged, but the violating actions aren't denied.
You can use organization policies in dry-run mode to monitor how policy changes would impact your workflows before it is enforced. For more information, see Create an organization policy in dry-run mode.
Conditional organization policies
Tags provide a way to conditionally enforce constraints based on whether a resource has a specific tag. You can use tags and conditional enforcement of constraints to provide centralized control of the resources in your hierarchy.
For more information about tags, see Tags overview. To learn how to set a conditional organization policy using tags, see Setting an organization policy with tags.
Inheritance
When an organization policy is set on a resource, all descendants of that resource inherit the organization policy by default. If you set an organization policy on the organization resource, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, and service resources.
You can set an organization policy on a descendant resource that either overwrites the inheritance, or inherits the organization policy of the parent resource. In the latter case, the two organization policies are merged based on the rules of hierarchy evaluation. This provides precise control for how your organization policies apply throughout your organization, and where you want exceptions made.
To learn more, see Understanding hierarchy evaluation.
Violations
A violation is when a Google Cloud service acts or is in a state that is counter to the organization policy restriction configuration within the scope of its resource hierarchy. Google Cloud services will enforce constraints to prevent violations, but the application of new organization policies is usually not retroactive. If an organization policy constraint is retroactively enforced, it will be labeled as such on the organization policy constraints page.
If a new organization policy sets a restriction on an action or state that a service is already in, the policy is considered to be in violation, but the service won't stop its original behavior. You will need to address this violation manually. This prevents the risk of a new organization policy completely shutting down your business continuity.
Policy Intelligence
Policy Intelligence is a suite of tools designed to help you manage security policies. These tools can help you understand resource usage, understand and improve existing security policies, and prevent policy misconfigurations.
Some Policy Intelligence tools are specifically designed to help test and analyze Organization Policy Service policies. We recommend that you test and dry-run all changes to your organization policies. With Policy Intelligence, you can do tasks like the following:
- Test changes to organization policies and constraints and identify resources that are non-compliant under the proposed policy (Preview))
- Create a dry-run organization policy to monitor how a policy change would affect your workflows
- Analyze existing organization policies to understand which Google Cloud resources are covered by which organization policy
To learn more about these tools and other Policy Intelligence tools, see Policy Intelligence overview.
Next steps
- Read the Creating and managing organization resources page to learn how to acquire an organization resource.
- Learn how to define organization policies.
- Explore the solutions you can accomplish with organization policy constraints.