Sovereign Controls Advanced by CNTXT

This page describes the set of controls that are applied on Sovereign Controls Advanced by CNTXT folders in Sovereign Controls by Partners. It provides detailed information about supported Google Cloud products and their API endpoints, as well as any applicable restrictions or limitations on those products.

See the CNTXT site Sovereign Controls Advanced by CNTXT for more information about this offering.

Supported products and API endpoints

Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table. If a product is not listed, that product is unsupported and has not met the control requirements for Sovereign Controls Advanced by CNTXT. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model. Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

Services that interact with Customer Data in their API operations provide regional API endpoints. These must be used instead of the service's global API endpoint in Sovereign Controls Advanced by CNTXT. For services whose API operations don't interact with Customer Data, using global API endpoints is allowed. See the Assured Workloads Data residency page for more information.

Supported product API endpoints Restrictions or limitations
Access Transparency Regional API endpoints are not supported.

Global API endpoints:
  • accessapproval.googleapis.com
None
Artifact Registry Regional API endpoints:
  • artifactregistry.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
BigQuery Regional API endpoints:
  • bigquery.me-central2.rep.googleapis.com
  • bigqueryconnection.me-central2.rep.googleapis.com
  • bigqueryreservation.me-central2.rep.googleapis.com
  • bigquerystorage.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Affected features
Bigtable Regional API endpoints:
  • bigtable.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Affected features
Compute Engine Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
Affected features and organization policy constraints
Sensitive Data Protection Regional API endpoints:
  • dlp.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Dataflow Regional API endpoints:
  • dataflow.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Dataproc Regional API endpoints:
  • dataproc.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Affected features
Cloud DNS Regional API endpoints are not supported.

Global API endpoints:
  • dns.googleapis.com
None
Essential Contacts Regional API endpoints are not supported.

Global API endpoints:
  • essentialcontacts.googleapis.com
None
Filestore Regional API endpoints are not supported.

Global API endpoints:
  • file.googleapis.com
None
Cloud Next Generation Firewall Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Google Cloud Armor Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Identity and Access Management (IAM) Regional API endpoints are not supported.

Global API endpoints:
  • iam.googleapis.com
None
Identity-Aware Proxy Regional API endpoints are not supported.

Global API endpoints:
  • iap.googleapis.com
None
Cloud Key Management Service (Cloud KMS) Regional API endpoints:
  • cloudkms.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Organization policy constraints
Cloud HSM Regional API endpoints:
  • cloudkms.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Cloud External Key Manager (Cloud EKM) Regional API endpoints:
  • cloudkms.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Google Kubernetes Engine Regional API endpoints are not supported.

Global API endpoints:
  • container.googleapis.com
  • containersecurity.googleapis.com
Organization policy constraints
GKE Hub Regional API endpoints are not supported.

Global API endpoints:
  • gkehub.googleapis.com
None
Cloud Load Balancing Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
Affected features
Cloud Logging Regional API endpoints:
  • logging.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Affected features
Cloud Monitoring Regional API endpoints are not supported.

Global API endpoints:
  • monitoring.googleapis.com
Affected features
Network Connectivity Center Regional API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Cloud NAT Regional API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Cloud Router Regional API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
None
Cloud Interconnect Regional API endpoints are not supported.

Global API endpoints:
  • networkconnectivity.googleapis.com
Affected features
Organization Policy Service Regional API endpoints are not supported.

Global API endpoints:
  • orgpolicy.googleapis.com
None
Persistent Disk Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
Pub/Sub Regional API endpoints:
  • pubsub.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Resource Manager Regional API endpoints are not supported.

Global API endpoints:
  • cloudresourcemanager.googleapis.com
None
Cloud Run Regional API endpoints are not supported.

Global API endpoints:
  • run.googleapis.com
None
Secret Manager Regional API endpoints:
  • secretmanager.me-central2.rep.googleapis.com

Global API endpoints are not supported.
None
Service Directory Regional API endpoints are not supported.

Global API endpoints:
  • servicedirectory.googleapis.com
None
Spanner Regional API endpoints:
  • spanner.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Affected features and organization policy constraints
Cloud SQL Regional API endpoints are not supported.

Global API endpoints:
  • sqladmin.googleapis.com
Affected features and organization policy constraints
Cloud Storage Regional API endpoints:
  • storage.me-central2.rep.googleapis.com

Global API endpoints are not supported.
Organization policy constraints
Virtual Private Cloud Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None
VPC Service Controls Regional API endpoints are not supported.

Global API endpoints:
  • accesscontextmanager.googleapis.com
None
Cloud VPN Regional API endpoints are not supported.

Global API endpoints:
  • compute.googleapis.com
None

Restrictions and limitations

The following sections describe cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Sovereign Controls Advanced by CNTXT folders.

Google Cloud-wide

Affected Google Cloud-wide features

Feature Description
Google Cloud console To access the Google Cloud console when using the Sovereign Controls Advanced by CNTXT control package, you must use one of the following URLs:
For more information, see the Jurisdictional Google Cloud console page.

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization policy constraint Description
gcp.resourceLocations Set to the following locations in the allowedValues list:
  • me-central2
This value restricts creation of any new resources to the selected value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See the Organization policy value groups documentation for more information.
gcp.restrictNonCmekServices Set to a list of all in-scope API service names, including:
  • compute.googleapis.com
  • container.googleapis.com
  • pubsub.googleapis.com
  • storage.googleapis.com
  • sqladmin.googleapis.com
  • logging.googleapis.com
  • bigquery.googleapis.com
  • artifactregistry.googleapis.com
  • bigtable.googleapis.com
  • composer.googleapis.com
  • dataflow.googleapis.com
  • dataproc.googleapis.com
  • spanner.googleapis.com
  • secretmanager.googleapis.com
  • run.googleapis.com
  • notebooks.googleapis.com
  • integrations.googleapis.com
  • documentai.googleapis.com
  • cloudfunctions.googleapis.com
  • aiplatform.googleapis.com
  • workstations.googleapis.com
Some features may be impacted for each of the services listed above.

Each listed service requires Customer-managed encryption keys (CMEK). CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.

Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
gcp.restrictTLSVersion Set to deny the following TLS versions:
  • TLS_1_0
  • TLS_1_1
See the Restrict TLS versions page for more information.

BigQuery

Affected BigQuery features

Feature Description
Enabling BigQuery on a new folder BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
  1. In the Google Cloud console, go to the Assured Workloads page.

    Go to Assured Workloads

  2. Select your new Assured Workloads folder from the list.
  3. On the Folder Details page in the Allowed services section, click Review Available Updates.
  4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

    If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care.

After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

Gemini in BigQuery is not supported by Assured Workloads.

Unsupported features The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is the your responsibility not to use them in BigQuery for Sovereign Controls by Partners.
Unsupported integrations The following BigQuery integrations are not supported. It is your responsibility not to use them with BigQuery for Sovereign Controls by Partners.
  • The CreateTag, SearchCatalog, Bulk tagging, and Business Glossary API methods of the Data Catalog API can process and store technical data in a way that is not supported. It is your responsibility not to use those methods for Sovereign Controls by Partners.
Supported BigQuery APIs The following BigQuery APIs are supported:
BigQuery CLI The BigQuery CLI is supported.

Google Cloud SDK You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
Administrator controls BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard.
Loading data BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Sovereign Controls by Partners workloads.
Third-party transfers BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
Non-compliant BQML models Externally-trained BQML models are not supported.
Query jobs Query jobs should only be created within Sovereign Controls by Partners folders.
Queries on datasets in other projects BigQuery does not prevent Sovereign Controls by Partners datasets from being queried from non-Sovereign Controls by Partners projects. You should ensure that any query that has a read or a join on Sovereign Controls by Partners data be placed in a Sovereign Controls by Partners folder. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
Cloud Logging BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

See Regionalize your logs for more information.

Bigtable

Affected Bigtable features

Feature Description
Split boundaries Bigtable uses a small subset of row keys to define split boundaries, which may include customer data and metadata. A split boundary in Bigtable denotes the location where contiguous ranges of rows in a table are split into tablets.

These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners.

Cloud KMS

Cloud KMS organization policy constraints

Organization policy constraint Description
cloudkms.allowedProtectionLevels Set to allow creating only Cloud KMS keys with one of the following ProtectionLevel types:
  • EXTERNAL
  • EXTERNAL_VPC

Cloud Logging

Affected Cloud Logging features

Feature Description
Log sinks Filters shouldn't contain Customer Data.

Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
Live tailing log entries Filters shouldn't contain Customer Data.

A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.
Log-based alerts This feature is disabled.

You cannot create log-based alerts in the Google Cloud console.
Shortened URLs for Logs Explorer queries This feature is disabled.

You cannot create shortened URLs of queries in the Google Cloud console.
Saving queries in Logs Explorer This feature is disabled.

You cannot save any queries in the Google Cloud console.
Log Analytics using BigQuery This feature is disabled.

You cannot use the Log Analytics feature.
SQL-based alerting policies This feature is disabled.

You cannot use the SQL-based alerting policies feature.

Cloud Monitoring

Affected Cloud Monitoring features

Feature Description
Synthetic Monitor This feature is disabled.
Uptime check This feature is disabled.
Log panel widgets in Dashboards This feature is disabled.

You cannot add a log panel to a dashboard.
Error reporting panel widgets in Dashboards This feature is disabled.

You cannot add an error reporting panel to a dashboard.
Filter in EventAnnotation for Dashboards This feature is disabled.

Filter of EventAnnotation cannot be set in a dashboard.
SqlCondition in alertPolicies This feature is disabled.

You cannot add a SqlCondition to an alertPolicy.

Cloud Load Balancing

Affected Cloud Load Balancing features

Organization policy constraint Description
Regional load balancers You must use only regional load balancers with Sovereign Controls Advanced by CNTXT. See the following pages for more information about configuring regional load balancers:

Cloud Storage

Cloud Storage organization policy constraints

Organization policy constraint Description
storage.uniformBucketLevelAccess Set to True.

Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs). This constraint provides fine-grained permissions for buckets and their contents.

If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.
storage.restrictAuthTypes Set to prevent authentication using hash-based message authentication code (HMAC). The following two HMAC types are specified in this constraint value:
  1. USER_ACCOUNT_HMAC_SIGNED_REQUESTS
  2. SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS
By default, HMAC keys are prevented from authenticating to Cloud Storage resources for workloads in Sovereign Controls by Partners. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See HMAC keys in the Cloud Storage docs.

Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

Cloud Interconnect

Affected Cloud Interconnect features

Feature Description
High-availability (HA) VPN You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Cloud VPN section.

Compute Engine

Affected Compute Engine features

Feature Description
Suspending and resuming a VM instance This feature is disabled.

Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Local SSDs This feature is disabled.

You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Viewing serial port output This feature is disabled; you will be unable to view the output either programmatically or via Cloud Logging.

Change the compute.disableSerialPortLogging organization policy constraint value to False to enable serial port output.
Guest environment It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

These components help you meet data sovereignty through internal security controls and processes. However, for customers who want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

See the Building a custom image page for more information.
instances.getSerialPortOutput() This API is disabled; you will be unable to get serial port output from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.
instances.getScreenshot() This API is disabled; you will be unable to get a screenshot from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.

Compute Engine organization policy constraints

Organization policy constraint Description
compute.enableComplianceMemoryProtection Set to True.

Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

Changing this value may affect your data residency or data sovereignty.
compute.disableInstanceDataAccessApis Set to True.

Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

compute.disableGlobalCloudArmorPolicy Set to True.

Disables creating Google Cloud Armor security policies.

compute.disableGlobalLoadBalancing Set to True.

Disables creation of global load balancing products.

Changing this value may affect data residency in your workload; we recommend keeping the set value.
compute.disableSshInBrowser Set to True.

Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs.

Changing this value may affect your data residency or data sovereignty.
compute.restrictNonConfidentialComputing

(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.

compute.trustedImageProjects

(Optional) Value is not set. Set this value to provide additional defense-in-depth.

Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

Dataproc

Affected Dataproc features

Feature Description
Google Cloud console Dataproc does not currently support the Jurisdictional Google Cloud console. To enforce data residency, ensure that you use either the Google Cloud CLI or the API when using Dataproc.

Google Kubernetes Engine

Google Kubernetes Engine organization policy constraints

Organization policy constraint Description
container.restrictNoncompliantDiagnosticDataAccess Set to True.

Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload.

Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

Spanner

Affected Spanner features

Feature Description
Split boundaries Spanner uses a small subset of primary keys and indexed columns to define split boundaries, which may include customer data and metadata. A split boundary in Spanner denotes the location where contiguous ranges of rows are split into smaller pieces.

These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners.

Spanner organization policy constraints

Organization policy constraint Description
spanner.assuredWorkloadsAdvancedServiceControls Set to True.

Applies additional data sovereignty and supportability controls to Spanner resources.
spanner.disableMultiRegionInstanceIfNoLocationSelected Set to True.

Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.

Cloud SQL

Affected Cloud SQL features

Feature Description
Query insights When deploying a Cloud SQL instance, Query insights can only be used if application tags are not enabled. If application tags are enabled, you will receive an error message when attempting to use Query insights.

Cloud SQL organization policy constraints

Organization policy constraint Description
sql.restrictNoncompliantDiagnosticDataAccess Set to True.

Applies additional data sovereignty and supportability controls to Spanner resources.
sql.restrictNoncompliantResourceCreation Set to True.

Applies additional data sovereignty controls to prevent creation of non-compliant Spanner resources.