This page guides you through creating a new folder for Sovereign Controls by Partners. You must create this folder before creating any other resources that are intended for use with Sovereign Controls by Partners.
Before you begin
Before you can create a new folder, ensure that you've done the following:
- Completed onboarding to Google Cloud and received an email instructing you to create a partner-managed folder.
- Ensure that you understand the restrictions and limitations associated with the control package your partner is offering.
Create a new folder
- In the Google Cloud console, go to the Assured Workloads page.
- If prompted, select your organization.
- Click CREATE to go to the Create an Assured Workloads folder page.
- In the step to Add folder details:
- In Folder name, enter a unique name for the folder, such as
aw-my-folder-name
. The folder name must be a minimum of 4 characters in length and a maximum of 30, and can only contain letters, numbers, spaces, and hyphens. - In Organization, select the organization in which to create your folder. This location can't be changed later.
- In Folder location, select the location in the resource hierarchy where the folder will be created. A Sovereign Controls by Partners folder can be created as a child of an organization or of another folder.
- Click Next.
- In Folder name, enter a unique name for the folder, such as
- In the step to Choose a control package option, select Sovereign Controls.
- Select your partner-managed solution from the drop-down menu.
- Select a sub-billing account if your partner created one for you.
- In Select resource location, choose the location where resource creation and usage will be enforced by the folder's organization policy.
- Review the details about your selections and click Next.
- In the step to Configure additional settings, you must create a new project and a key ring for your Customer Managed Encryption Keys (CMEK). No keys are created during this step, as Sovereign Controls by Partners doesn't automatically create any cryptographic keys for you.
- Depending on which sovereign partner you've chosen, you may have an
additional Manage partner permissions step. In this step, you can
choose to grant your partner access to the following data:
- Monitoring: This includes permissions to view Assured Workloads monitoring information about your folder. This includes any unresolved or resolved compliance violations, and any exceptions you've granted for those violations.
- Access Transparency and emergency access logs: This includes permissions to view Access Transparency logs and emergency access logs for your folder.
- Access Approval information: This includes permissions to view Access Approval logs for your folder.
- After you've made your selections, click Next.
- In the step to Review and create folder, review the details about your new Sovereign Controls by Partners folder and ensure that they are correct. Then, click Create Folder.
After completing these steps, Sovereign Controls by Partners creates the following resources:
- A Sovereign Controls by Partners folder, which enforces security controls on supported Google Cloud products to adhere with the your partner offering. These controls include setting an organization policy that restricts resource usage to only those supported products, and allows creating or using resources only in allowed locations.
- A CMEK project that contains the configured CMEK key ring.
Partner permissions
If you choose to grant your partner access to Assured Workloads monitoring and access history data, you can revoke this access at any time. To grant or revoke access for all types of data, complete the following steps:
In the Google Cloud console, go to the Assured Workloads page.
Click the name of your Sovereign Controls by Partners folder to view the folder's details.
From the Assured Workloads Folder Details page, click the Configure Partner Permissions button in the info Partner permissions section.
In the Configure partner permissions panel, select the checkboxes to grant or revoke permission for each type of data, and then click Save.
Your partner's access to this data will be granted or revoked depending on your selections.
Monitoring
To enable partner access to your folder's Assured Workloads monitoring data, an Identity and Access Management (IAM) role is granted to the Cloud Controls Partner Service Agent. Like all service agents, the Cloud Controls Partner Service Agent acts on behalf of Sovereign Controls by Partners. It is visible in the IAM policy for your Sovereign Controls by Partners folder, and uses the following email format, where FOLDER_ID is the ID of that folder:
service-folder-[FOLDER_ID]@gcp-sa-cloudcontrolspartner.iam.gserviceaccount.com
The service agent is granted the
Cloud Controls Partner Monitoring Service Agent
(roles/cloudcontrolspartner.monitoringServiceAgent
) IAM role on
your folder. See the
IAM reference
for more information about this role and its permissions.
Next steps
- Learn how to configure partner-managed KMS