Restrictions and limitations in T-Systems Sovereign Cloud

This topic describes the restrictions, limitations, and other configuration options when using T-Systems Sovereign Cloud.

Overview

T-Systems Sovereign Cloud (TSI Sovereign Cloud) provides data residency and data sovereignty features for in-scope Google Cloud services. To provide these features, some of these services' features are restricted or limited. Most of these changes are applied during the onboarding process when your organization becomes managed by T-Systems International (TSI), however some of them can be changed later by modifying organization policies.

It's important to understand how these restrictions modify the behavior for a given Google Cloud service or affect data sovereignty or data residency. For example, some features or capabilities may be automatically disabled to ensure that data sovereignty and data residency are maintained. Additionally, if an organization policy setting is changed, it might have the unintended consequence of copying data from one region to another.

In-scope services and APIs

Services

Compute Engine
- Organization policies
- Impacted features
Persistent Disk
Cloud Storage
- Organization policies
Cloud SQL
Cloud Key Management Service (Cloud KMS)
- Organization policies
Google Kubernetes Engine
- Organization policies
Cloud Logging
- Impacted features

APIs

The following API endpoints are available in TSI Sovereign Cloud:

accessapproval.googleapis.com
accesscontextmanager.googleapis.com
axt.googleapis.com
clientauthconfig.googleapis.com
cloudbilling.googleapis.com
cloudkms.googleapis.com
cloudnotifications.googleapis.com
cloudresourcemanager.googleapis.com
cloudsql.googleapis.com
cloudsupport.googleapis.com
compute.googleapis.com
container.googleapis.com
essentialcontacts.googleapis.com
iam.googleapis.com
logging.googleapis.com
monitoring.googleapis.com
orgpolicy.googleapis.com
servicenetworking.googleapis.com
serviceusage.googleapis.com
stackdriver.googleapis.com
storage.googleapis.com
sts.googleapis.com
vpcaccess.googleapis.com

Organization policies

This section describes how each service is affected by the default organization policy constraint values when folders or projects are created using TSI Sovereign Cloud. Other applicable constraints — even if not set by default — can provide additional "defense-in-depth" to further protect your organization's Google Cloud resources.

Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization Policy Constraint	Description
`gcp.resourceLocations`	Set to `in:tsi-sovereign` as the `allowedValues` list item. This value restricts creation of any new resources to the TSI value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of those defined by TSI. See the Organization policy value groups documentation for more information.
`gcp.restrictNonCmekServices`	Set to a list of all in-scope API service names, including: `compute.googleapis.com` `container.googleapis.com` `logging.googleapis.com` `sqladmin.googleapis.com` `storage.googleapis.com` Some features may be impacted for each of the services listed above. See the Impacted Features section below. Each listed service requires Customer-managed encryption keys (CMEK). CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms. Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, as new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
`gcp.restrictCmekCryptoKeyProjects`	Set to `under:organizations/your-organization-name`, which is your TSI Sovereign Cloud organization. You can further restrict this value by specifying a project or folder. Limits the scope of approved folders or projects that can provide KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.

Compute Engine organization policy constraints

Organization Policy Constraint	Description
`compute.enableComplianceMemoryProtection`	Set to True. Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs. Changing this value may affect your data residency or data sovereignty.
`compute.disableSerialPortLogging`	Set to True. Disables serial port logging to Stackdriver from Compute Engine VMs in the folder or project where the constraint is enforced. Changing this value may affect your data residency or data sovereignty.
`compute.disableInstanceDataAccessApis`	Set to True. Globally disables the `instances.getSerialPortOutput()` and `instances.getScreenshot()` APIs.
`compute.restrictNonConfidentialComputing`	(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.
`compute.trustedImageProjects`	(Optional) Value is not set. Set this value to provide additional defense-in-depth. Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

Cloud Storage organization policy constraints

Organization Policy Constraint Description

storage.uniformBucketLevelAccess Set to True.

Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs). This constraint provides fine-grained permissions for buckets and their contents.

If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.

Organization Policy Constraint	Description
`storage.uniformBucketLevelAccess`	Set to True. Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs). This constraint provides fine-grained permissions for buckets and their contents. If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.
`storage.restrictAuthTypes`	Set to prevent authentication using hash-based message authentication code (HMAC). The following two HMAC types are specified in this constraint value: `USER_ACCOUNT_HMAC_SIGNED_REQUESTS` `SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS` By default, HMAC keys are prevented from authenticating to Cloud Storage resources for workloads in TSI Sovereign Cloud. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See the HMAC keys in the Cloud Storage docs. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

storage.restrictAuthTypes

Set to prevent authentication using hash-based message authentication code (HMAC). The following two HMAC types are specified in this constraint value:

USER_ACCOUNT_HMAC_SIGNED_REQUESTS
SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS

By default, HMAC keys are prevented from authenticating to Cloud Storage resources for workloads in TSI Sovereign Cloud. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See the HMAC keys in the Cloud Storage docs.

Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

Google Kubernetes Engine organization policy constraints

Organization Policy Constraint	Description
`container.restrictNoncompliantDiagnosticDataAccess`	Set to True. Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

Cloud Key Management Service organization policy constraints

Organization Policy Constraint	Description
`cloudkms.allowedProtectionLevels`	Set to `EXTERNAL` and `EXTERNAL_VPC`. Restricts the Cloud Key Management Service CryptoKey types that may be created, and is set to allow only `EXTERNAL` and `EXTERNAL_VPC` key types.

Impacted features

This section lists how each service's features or capabilities are impacted by TSI Sovereign Cloud.

Compute Engine features

Feature	Description
Suspending and resuming a VM instance	This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the `gcp.restrictNonCmekServices` org policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Local SSDs	This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the `gcp.restrictNonCmekServices` org policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Viewing serial port output	This feature is disabled; you will be unable to view the output either programmatically or via Cloud Logging. Change the `compute.disableSerialPortLogging` organization policy constraint value to False to enable serial port output.
Guest environment	It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, for customers who want additional control, you can also curate your own images or agents and optionally use the `compute.trustedImageProjects` organization policy constraint. See the Building a custom image topic for more information.
`instances.getSerialPortOutput()`	This API is disabled; you will be unable to get serial port output from the specified instance using this API. Change the `compute.disableInstanceDataAccessApis` organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in this topic.
`instances.getScreenshot()`	This API is disabled; you will be unable to get a screenshot from the specified instance using this API. Change the `compute.disableInstanceDataAccessApis` organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in this topic.

Cloud Logging features

Required additional Cloud Logging configuration for CMEK

To use Cloud Logging with Customer-Managed Encryption Keys (CMEK), you must complete the steps in the Enable CMEK for an organization topic in the Cloud Logging documentation.

Impacted Cloud Logging features

Feature	Description
Log sinks	Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
Live tailing log entries	Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.
Log-based alerts	This feature is disabled. You cannot create log-based alerts in the Google Cloud console.
Shortened URLs for Logs Explorer queries	This feature is disabled. You cannot create shortened URLs of queries in the Google Cloud console.
Saving queries in Logs Explorer	This feature is disabled. You cannot save any queries in the Google Cloud console.
Log Analytics using BigQuery	This feature is disabled. You cannot use the Log Analytics feature.