If you are a new customer, Google Cloud automatically provisions an organization resource for your domain in the following scenarios:
- A user from your domain logs in for the first time.
- A user creates a billing account that does not have an associated organization resource.
This organization resource's default configuration, characterized by unrestricted access, can make the infrastructure susceptible to security breaches. For example, default service account key creation is a critical vulnerability exposing systems to potential breaches.
With the secure-by-default organization policy enforcements, insecure postures are addressed with a bundle of organization policies that are enforced at the time of creation of an organization resource. Examples of these enforcements include disabling service account key creation and disabling service account key upload.
When an existing user creates an organization, the security posture for the new organization resource might be different from the existing organization resources. Secure-by-default organization policies are enforced for all organizations created on or after May 3, 2024. Some organizations created between February 2024 and April 2024 might also have these default policy enforcements set. To view organization policies applied to your organization, see Viewing organization policies.
As an administrator, following are the scenarios where these organization policy enforcements are applied automatically:
- Google Workspace or Cloud Identity account: When you have a Google Workspace or Cloud Identity account, an organization resource is created that is associated with your domain. The secure-by-default organization policies are enforced automatically on the organization resource.
- Billing account creation: If the billing account you create is not associated with an organization resource, then an organization resource is automatically created. The secure-by-default organization policies are enforced on the organization resource. This scenario works on both the Google Cloud console and gcloud CLI.
Required permissions
The Identity and Access Management role
roles/orgpolicy.policyAdmin
enables
an administrator to manage organization policies. You must be an organization
policy administrator to change or override organization policies.
To grant the role, run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION --member=PRINCIPAL --role=ROLE
Replace the following:
ORGANIZATION
: Unique identifier of your organization.PRINCIPAL
: The principal to add the binding for. This should be of the formuser|group|serviceAccount:email
ordomain:domain
. For example,user:222larabrown@gmail.com
.ROLE
: Role to grant to the principal. Use the complete path of a predefined role. In this case, it should beroles/orgpolicy.policyAdmin
.
Organization policies enforced on organization resources
The following table lists the organization policy constraints that are automatically enforced when you create an organization resource.
Organization policy name | Organization policy constraint | Description | Impact of enforcement |
---|---|---|---|
Disable service account key creation | constraints/iam.disableServiceAccountKeyCreation |
Prevent users from creating persistent keys for service accounts. For information about managing service account keys, see Provide alternatives to creating service account keys. | Reduces the risk of exposed service account credentials. |
Disable service account key upload | constraints/iam.disableServiceAccountKeyUpload |
Prevent the upload of external public keys to service accounts. For information about accessing resources without service account keys, see these best practices. | Reduces the risk of exposed service account credentials. |
Disable automatic role grants to default service accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts |
Prevent default service accounts from receiving the overly permissive IAM role Editor at creation. |
The Editor role allows the service account to create and delete resources for most Google Cloud services, which creates a vulnerability if the service account gets compromised. |
Restrict identities by domain | constraints/iam.allowedPolicyMemberDomains |
Limit resource sharing to identities that belong to a particular organization resource. | Leaving the organization resource open to access by actors with domains other than the customer's own creates a vulnerability. |
Restrict contacts by domain | constraints/essentialcontacts.allowedContactDomains |
Limit Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. | A bad actor with a different domain might get added as Essential Contacts, leading to a compromised security posture. |
Uniform bucket-level access | constraints/storage.uniformBucketLevelAccess |
Prevent Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access. | Enforces consistency for access management and auditing. |
Use zonal DNS by default | constraints/compute.setNewProjectDefaultToZonalDNSOnly |
Set restrictions where application developers cannot choose global DNS settings for Compute Engine instances. | Global DNS settings have lower service reliability than zonal DNS settings. |
Restrict protocol forwarding based on type of IP address | constraints/compute.restrictProtocolForwardingCreationForTypes |
Restrict the configuration of protocol forwarding for internal IP addresses only. | Protects target instances from exposure to external traffic. |
Manage enforcement of organization policies
You can manage the enforcement of organization policies in the following ways:
List organization policies
To check whether the secure-by-default organization policies are enforced on your organization, use the following command:
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID
with the unique identifier of your organization.
Disable organization policies
To disable or delete an organization policy, run the following command:
gcloud org-policies delete CONSTRAINT_NAME --organization=ORGANIZATION_ID
Replace the following:
CONSTRAINT_NAME
is the name of the organization policy constraint you want to delete. An example isiam.allowedPolicyMemberDomains
.ORGANIZATION_ID
is the unique identifier of your organization.
Add or update values for an organization policy
To add or update values for an organization policy, you need to store the values in a YAML file. An example of what the contents of this file can look like:
{
"name": "organizations/ORG_ID/policies/CONSTRAINT_NAME",
"spec": {
"rules": [
{
"values": {
"allowedValues": ["VALUE_A"]
}
}
]
}
}
To add or update these values listed in the YAML file, run the following command:
gcloud org-policies set-policy POLICY_FILE
Replace POLICY_FILE
with the path to the YAML file that contains the
values of the organization policy.