Useful Organization Policies in GCP
Also read VPC Service Controls
Combined with security command center, org SCPs can provide just about any security guardrail around Projects, Folders, Organizations and Resources within Projects.
Service Account and Logging Centric Policies
| Disable Cloud Logging | constraints/gcp.disableCloudLogging | |
| Disable Guest Attributes of Compute Engine metadata | constraints/compute.disableGuestAttributesAccess | |
| Disable Internet Network Endpoint Groups | constraints/compute.disableInternetNetworkEndpointGroup | |
| Disable service account creation | constraints/iam.disableServiceAccountCreation | |
| Disable service account key creation | constraints/iam.disableServiceAccountKeyCreation | |
| Disable Service Account Key Upload | constraints/iam.disableServiceAccountKeyUpload |
Organization Policies can be applied at the PROJECT level as well
Restrict Resources to a region
E.g. — only allow resources in US based regions.
Disallow public IP creation Policy
- Disallow Public IP Creation Policy - User cannot get internet connectivity or connectivity back to on premises.
- Skip Default Network Creation — Yes (Enforce)
- Disallow Shared VPC — No (allow)
- Disallow Peered VPC — No (allow)
- Define trusted image projects — Yes
- Restrict VM IP forwarding - No
- Disable Service Account Creation — No
Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply