GCP - Baseline configuration
The Public Cloud team provisions Google Cloud Platform projects with the base configuration detailed below.
Identity and Access Management (IAM)
- Owner role granted to principal <project name>@g-groups.wisc.edu
- This grants the owner of the account and anyone else in this Google Group owner access to the project
- Owner role granted to principal uw-provisioning service account so we can continue to manage accounts via Terraform, if needed
Security
- Security Command Center is enabled at the organization level which sends critical and high severity findings to the Cybersecurity Operations Center (CSOC)
- Security Command Center is centrally funded and does not incur any extra cost to GCP projects
- You can view findings in your project by selecting Security in the left navigation bar or searching security in the top search bar
Budget alerts
- Budget alerts are configured based on the value submitted in the account request form. Budget alerts are sent to <project name>@g-groups.wisc.edu so that everyone in the group will receive the notification
Networking
- Default GCP compute network is created with subnets in multiple regions
- Firewall is applied to default network
- Allows ports icmp, ssh, rdp from campus IP ranges
Billing
- If no resources are created in a GCP project after handover, it's monthly cost should be ~$0.00
- Each GCP project is placed in the appropriate billing account based on grant source or if you have credits from Google
- Billing back done monthly with a month lag and charges are billed to your DoIT Billing Customer Id Number
If you have any questions, feedback or ideas please Contact Us
Commonly Referenced Docs:
UW Madison Public Cloud Team Events Online Learning Classes for Cloud Vendors What Data Elements are allowed in the Public Cloud