Organizational Policies for GCP High Risk data accounts
GCP high risk data organizational policies.
The following organizational constraints are provisioned in our GCP high-risk accounts as part of our work with the RHEDCloud foundation for HIPAA class data (sensitive and restricted data). These policies are applied by default to all "high-risk" accounts.
Broadly, these policies are intended to:
- Limit creation of Service Accounts
- Limit resources to US regions
- Limit logins to UW NetID Single Sign On, which includes multi-factor authentication
- Enable additional monitoring and security tooling using Google Security Command Center Premium
These can be supplemented by additional Account level tools for GCP High Risk data accounts. Should you need assistance with or an exception to one of these policies, please Contact the Public Cloud Team
To learn more about the constraints, see the Org Policy Constraints GCP documentation.
| Easy Customer Name | GCP Name of contraint | Setting |
|---|---|---|
| Define allowed external IPs for VM instances | constraints/compute.vmExternalIpAccess | blocked |
| Define trusted image projects | constraints/compute.trustedImageProjects | none by default |
| Disable Automatic IAM Grants for Default Service Accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts | blocked |
| Disable Automatic IAM Grants for Default Service Accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts | none |
| Disable service account creation | constraints/iam.disableServiceAccountCreation | blocked |
| Disable service account key creation | constraints/iam.disableServiceAccountKeyCreation | blocked |
| Disable VM nested virtualization | constraints/compute.disableNestedVirtualization | blocked |
| Domain restricted sharing | constraints/iam.allowedPolicyMemberDomains | only wisc.edu netIDs |
| Google Cloud Platform - Resource Location Restriction | constraints/gcp.resourceLocations | Limited to US regions |
| Require OS Login | constraints/compute.requireOsLogin | required |
| Restrict Public IP access on Cloud SQL Instances | constraints/sql.restrictPublicIp | Enforced |
| Restrict VM IP Forwarding | constraints/compute.vmCanIpForward | All Denied |
| Shielded VMs | constraints/compute.requireShieldedVm | Enforced |
| Skip default network creation | constraints/compute.skipDefaultNetworkCreation | Enforced |