Google Terms of Service violations and GCP resources
Google treats policy and Terms of Service (ToS) violations very seriously in order to protect users, resources, and data. At the same time at Google we understand the value of users' Google Cloud Platform (GCP) resources and we have provided safeguards and recovery mechanisms for legitimate users that temporarily lose access to their GCP resources due to ToS violations.
This page describes how ToS violations may affect access to your GCP resources and provides best practices to ensure a quick recovery.
Suspended vs Orphaned Projects
There is a fundamental difference between Cloud projects that are suspended and projects that become orphaned. Cloud projects may be suspended by Google due to ToS violations. When a project is suspended, existing workloads are shut down and users lose access to the project. Project owners are notified by email that the project has been suspended and how to request reinstatement or appeal the suspension. The Policy Violations FAQ summarizes appeal best practices in case of project suspension.
A Cloud project is considered orphaned if it does not have an active or suspended owner. A Cloud project may become orphaned if the Google accounts belonging to all the owners or users associated with the project are deleted. Conversely, a project does not become orphaned even if the Google accounts belonging to all users are disabled due to TOS violations.
Orphaned projects are candidates for deletion, unless they meet at least one of the following criteria:
- It has some API activity that is reflected in the logs.
- It is associated with a G Suite customer domain.
- It has a live Google App Engine app.
- It has any active or future Variable Term Quota.
- It has a valid Cloud billing account billing state.
- It is owned by a Cloud Organization resource
If an orphaned project does not meet any of the above requirements it is initially marked for soft-deletion. Soft-deletion allows a thirty day window during which the project may be claimed by contacting Google support. If any of the conditions listed above change during the thirty day window, indicating a sign of activity with the project, then the project is unmarked for deletion.
How to avoid orphaned projects
In order to prevent a project from becoming orphaned, we recommend that more than one owner be associated with the project at all times.
If a project belongs to an Organization resource, then it will always have at least the Organization as an owner and as such will not be orphaned. The Organization administrator has full control over each project in the Organization.
We recommend obtaining an Organization resource and migrating all production projects under the Cloud Organization to eliminate the risk of projects being orphaned.
Effect of ToS violations
Google-wide disabled account
In some cases a Google-wide account (which covers access to a variety of Google products like Google Photos, Google Play, Google Drive, and GCP) will be disabled for violations of a Google ToS, egregious policy violations, or as required by law. Owners of disabled Google accounts will not be able to access their GCP resources until the account is reinstated. If an account is disabled, a notification is sent to the secondary email address provided during the signup process, if available. If a phone number is available, the user is notified via text message. The notification includes a link for appeal and recovery, where applicable.
In order to regain access to their GCP resources, owners of disabled Google accounts will need to contact Google support and have their account re-enabled.
To minimize the effect of an account being disabled on GCP resources, we recommend that you add more than one owner to all resources. As long as there is at least one active owner, GCP resources will not be suspended due to the one of the owners being disabled.
GCP account suspension
In certain circumstances when a GCP user is consistently violating ToS or GCP Acceptable Use Policy (GCP AUP) through their project(s), their access to GCP may be suspended. When that happens, the developer will not be able to access their Cloud projects however, they will continue to have access to other Google services like GMail.
When a GCP account is suspended and the developer has at least one active project, they will get an email informing them about the project being suspended. The developer can go to the Console, fill out the form and reach to Google to resolve the issue.
GCP project suspension
GCP projects may be suspended due to violations of the GCP ToS, including the GCP Acceptable Use Policy (GCP AUP). When activities that violate the GCP AUP or ToS are detected in a project, the project owner has an obligation to fix the violation immediately. If the violation is not fixed, Google may take action to suspend the project. It is important that GCP developers check the project owner email account regularly. If Google suspends a GCP project then all the associated GCP workloads would be suspended as well. The owner of a suspended project will receive a notification email from firstname.lastname@example.org with resources to appeal. See appeal best practices and FAQ.
If a suspended project has at least one owner, whether active or suspended, it is not considered orphaned and hence it is not marked for deletion.
To recover a suspended project please fix the issue and follow the link in the notification email or contact Google support.
Billing account suspension
GCP billing accounts may be suspended due to violations of GCP ToOS or for suspected fraud. If a billing account is suspended then all GCP resources attached to that billing account are suspended as well.
To recover a suspended billing account owners must fill out the Account Verification Form to submit an appeal for review with the Google support team.
Cloud resources linked to a suspended billing account are not considered orphaned, as long as they have at least one active owner.