Also read VPC Service Controls

Combined with security command center, org SCPs can provide just about any security guardrail around Projects, Folders, Organizations and Resources within Projects.

Service Account and Logging Centric Policies

Disable Cloud Logging constraints/gcp.disableCloudLogging
Disable Guest Attributes of Compute Engine metadata constraints/compute.disableGuestAttributesAccess
Disable Internet Network Endpoint Groups constraints/compute.disableInternetNetworkEndpointGroup
Disable service account creation constraints/iam.disableServiceAccountCreation
Disable service account key creation constraints/iam.disableServiceAccountKeyCreation
Disable Service Account Key Upload constraints/iam.disableServiceAccountKeyUpload

Organization Policies can be applied at the PROJECT level as well

Restrict Resources to a region

E.g. — only allow resources in US based regions.

Disallow public IP creation Policy

  • Disallow Public IP Creation Policy - User cannot get internet connectivity or connectivity back to on premises.
  • Skip Default Network Creation — Yes (Enforce)
  • Disallow Shared VPC — No (allow)
  • Disallow Peered VPC — No (allow)
  • Define trusted image projects — Yes
  • Restrict VM IP forwarding - No
  • Disable Service Account Creation — No

 





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.