GCP - Baseline configuration
The Public Cloud team provisions Google Cloud Platform projects with the base configuration detailed below.
Identity and Access Management (IAM)
- Owner role granted to principal <project name>@g-groups.wisc.edu
- This grants the owner of the account and anyone else in this Google Group owner access to the project
- Owner role granted to principal uw-provisioning service account so we can continue to manage accounts via Terraform, if needed
Security
- Security Command Center is enabled at the organization level which sends critical and high severity findings to the Cybersecurity Operations Center (CSOC)
- Security Command Center is centrally funded and does not incur any extra cost to GCP projects
- You can view findings in your project by selecting Security in the left navigation bar or searching security in the top search bar
Budget alerts
- Budget alerts are configured based on the value submitted in the account request form. Budget alerts are sent to <project name>@g-groups.wisc.edu so that everyone in the group will receive the notification
Networking
- Default GCP compute network is created with subnets in multiple regions
- Firewall is applied to default network
- Allows ports icmp, ssh, rdp from campus IP ranges
Billing
- If no resources are created in a GCP project after handover, it's monthly cost should be ~$0.00
- Each GCP project is placed in the appropriate billing account based on grant source or if you have credits from Google
- Billing back is done monthly. Customers receive charges one month in arrears. Charges are billed to your DoIT Billing Customer Id Number
If you have any questions, feedback or ideas please Contact Us
Commonly Referenced Docs:
UW Madison Public Cloud Team Events Online Learning Classes for Cloud Vendors What Data Elements are allowed in the Public Cloud