If you are a new customer, Google Cloud automatically provisions an organization resource for your domain in the following scenarios:
- A user from your domain logs in for the first time.
- A user creates a billing account that does not have an associated organization resource.
This organization resource's default configuration, characterized by unrestricted access, can make the infrastructure susceptible to security breaches. For example, default service account key creation is a critical vulnerability exposing systems to potential breaches.
Google Cloud security baseline addresses insecure security postures with a bundle of organization policies that are enforced when an organization resource is created. For more information, see getting an organization resource. Examples of these organization policies include disabling service account key creation and disabling service account key upload.
When an existing user creates an organization, the security posture for the new organization resource might be different from the existing organization resources. Google Cloud security baseline constraints are enforced for all organizations created on or after May 3, 2024. Some organizations created between February 2024 and April 2024 might also have these default policy enforcements set. To view organization policies applied to your organization, see Viewing organization policies.
Before you begin
For more information about what organization policies and constraints are and how they work, see the introduction to the Organization Policy Service.
Required roles
To get the permissions that
you need to manage organization policies,
ask your administrator to grant you the
Organization policy administrator (roles/orgpolicy.policyAdmin)
IAM role on the organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to manage organization policies. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage organization policies:
-
orgpolicy.constraints.list -
orgpolicy.policies.create -
orgpolicy.policies.delete -
orgpolicy.policies.list -
orgpolicy.policies.update -
orgpolicy.policy.get -
orgpolicy.policy.set
You might also be able to get these permissions with custom roles or other predefined roles.
You can delegate the administration of organization policies by adding IAM Conditions to the Organization policy administrator role binding. To control the resources where a principal can manage organization policies, you can make the role binding conditional on a particular tag. For more information, see Using constraints.
Organization policies enforced on organization resources
The following table lists the organization policy constraints that are automatically enforced when you create an organization resource.
| Organization policy name | Organization policy constraint | Description | Impact of enforcement |
|---|---|---|---|
| Disable service account key creation | constraints/iam.managed.disableServiceAccountKeyCreation |
Prevent users from creating persistent keys for service accounts. For information about managing service account keys, see Provide alternatives to creating service account keys. | Reduces the risk of exposed service account credentials. |
| Disable service account key upload | constraints/iam.managed.disableServiceAccountKeyUpload |
Prevent the upload of external public keys to service accounts. For information about accessing resources without service account keys, see these best practices. | Reduces the risk of exposed service account credentials. |
| Prevent the Editor role from being granted to default service accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts |
Prevent default service accounts from receiving the overly permissive IAM Editor role at creation. | The Editor role lets the service account create and delete resources for most Google Cloud services, which creates a vulnerability if the service account gets compromised. |
| Restrict identities by domain | constraints/iam.allowedPolicyMemberDomains |
Limit resource sharing to identities that belong to a particular organization resource or Google Workspace customer ID. | Leaving the organization resource open to access by actors with domains other than the customer's own creates a vulnerability. |
| Restrict contacts by domain | constraints/essentialcontacts.managed.allowedContactDomains |
Limit Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. | A bad actor with a different domain might get added as Essential Contacts, leading to a compromised security posture. |
| Restrict protocol forwarding based on type of IP address | constraints/compute.managed.restrictProtocolForwardingCreationForTypes |
Restrict the configuration of protocol forwarding for internal IP addresses only. | Protects target instances from exposure to external traffic. |
| Uniform bucket-level access | constraints/storage.uniformBucketLevelAccess |
Prevent Cloud Storage buckets from using per-object ACL (a separate system from allow and deny policies) to provide access. | Enforces consistency for access management and auditing. |
Manage enforcement of organization policies
You can manage the enforcement of organization policies in the following ways:
List organization policies
To check whether the Google Cloud security baseline constraints are enforced on your organization, use the following command:
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID with the unique identifier of
your organization.
Disable organization policies
To disable or delete an organization policy, run the following command:
gcloud org-policies delete CONSTRAINT_NAME --organization=ORGANIZATION_ID
Replace the following:
CONSTRAINT_NAME: the name of the organization policy constraint that you want to delete—for example,iam.allowedPolicyMemberDomainsORGANIZATION_ID: the unique identifier of your organization
Add or update values for an organization policy
To add or update values for an organization policy, create a YAML file defining it. For example:
name: "organizations/ORGANIZATION_ID/policies/CONSTRAINT_NAME"
spec:
rules:
- values:
allowedValues:
- VALUE_A
Replace the following:
ORGANIZATION_ID: the unique identifier of your organizationCONSTRAINT_NAME: the name of the constraint that you want to enforce—for example,gcp.restrictNonCmekServicesVALUE_A: the value you want to allow, based on the specific constraint you are enforcing
To add or update the values listed in the YAML file, run the following command:
gcloud org-policies set-policy POLICY_FILE
Replace POLICY_FILE with the path to the YAML file.
What's next
For more information about creating and managing organization policies, see Using constraints.