This page contains information about configuring hierarchical security policies to protect you organization, folders, or projects. Before you configure hierarchical security policies, make sure that you're familiar with the information in the hierarchical security policies overview.
Set up IAM permissions for hierarchical security policies
The following operations require that you have the Identity and Access Management (IAM)
role
Compute Organization Security Policy Admin role
(roles/compute.orgSecurityPolicyAdmin
) on the target resource hierarchy
node, or on the policy itself if it already exists:
- Create a new hierarchical security policy
- Modify a hierarchical security policy by adding, updating, or deleting rules
- Delete a hierarchical security policy
The following operations require that you have the IAM
Compute Organization Resource Admin role
(roles/compute.orgSecurityResourceAdmin
)
on the target resource hierarchy node, in addition to either the
Compute Organization Security Policy Admin role
(roles/compute.orgSecurityPolicyAdmin
) or the
Compute Organization Security Policy User role
(roles/compute.orgSecurityPolicyUser
) on either the target resource
hierarchy node or on the policy itself:
- Associate a hierarchical security policy with a resource hierarchy node
Finally, see the following table for a list of miscellaneous operations that you can perform if you have any of the listed roles:
Operations | Roles |
---|---|
View all effective Google Cloud Armor rules for a backend resource |
|
View effective backend resources covered by an organizationSecurityPolicy |
Configure hierarchical security policies
The following sections explain how to create hierarchical security policies, associate them with resource hierarchy nodes, move them between nodes, delete them, and how to view all of the Google Cloud Armor security policy rules that apply to a protected resource.
Create a hierarchical security policy
You create a hierarchical security policy by using the
gcloud beta compute org-security-policies create
command. You create the
hierarchical security policy under an organization or a folder using the
--organization
or --folder
flag, along with the corresponding
ORGANIZATION_ID
or FOLDER_ID
.
Use the following examples to create hierarchical security policies, replacing
POLICY_NAME
with the name that you want to give the new
security policy:
Create an organization-level hierarchical security policy:
gcloud beta compute org-security-policies create \ --organization=ORGANIZATION_ID \ --type=CLOUD_ARMOR \ --short-name=POLICY_NAME
Create a folder-level hierarchical security policy:
gcloud beta compute org-security-policies create \ --folder=FOLDER_ID \ --type=CLOUD_ARMOR \ --short-name=POLICY_NAME
Associate an existing security policy with a resource hierarchy node
If you have an existing security policy, you can associate it with a resource
hierarchy node by using the gcloud beta compute org-security-policies associations create
command. Replace the following:
POLICY_ID
: the ID of the security policyPOLICY_NAME
: the name of the security policyORGANIZATION_ID
: the ID of the organizationFOLDER_ID
: the ID of the folderPROJECT_ID
: the ID of the projectAssociate a hierarchical security policy to an organization:
gcloud beta compute org-security-policies associations create \ --security-policy=POLICY_ID \ --organization=ORGANIZATION_ID \ --name=ASSOCIATION_NAME
Associate a hierarchical security policy to a folder:
gcloud beta compute org-security-policies associations create \ --security-policy=POLICY_ID \ --folder=FOLDER_ID \ --name=ASSOCIATION_NAME
Associate a hierarchical security policy to a project:
gcloud beta compute org-security-policies associations create \ --security-policy=POLICY_ID \ --project-number=PROJECT_ID \ --name=ASSOCIATION_NAME
Exclude projects from hierarchical security policies
In addition, you can exclude projects from your folder-level hierarchical security policies, and you can exclude both projects and folders from your organization-level hierarchical security policies:
You can exclude projects from a hierarchical security policy by using the
beta compute org-security-policies associations create
command with the--excluded-projects
flag.The following example command associates security policy
example-policy
with organization10000001
, while excluding the project with the ID2000000002
:gcloud beta compute org-security-policies associations create \ --security-policy=example-policy \ --excluded-projects="projects/2000000002" \ --organization=10000001
You can exclude folders from an organization-level hierarchical security policy by using the
beta compute org-security-policies associations create
command with the--excluded-folders
flag.The following example command associates security policy
example-policy
with organization10000001
, while excluding the folder with the ID3000000003
:gcloud beta compute org-security-policies associations create \ --security-policy=example-policy \ --excluded-folders="folders/3000000003" \ --organization=10000001
Move a hierarchical security policy
You can change the parent of a hierarchical security policy by using the
gcloud beta compute org-security-policies move
to move the
hierarchical security policy under a different parent resource hierarchy node.
You supply the source as the first flag, and the destination as the second flag.
Moving a hierarchical security policy changes its ownership, not the resources
with which it is associated. Only organizations and folders can own
hierarchical security policies, so you can't move them under projects.
In the following
example, you move a hierarchical security policy from the organization
ORGANIZATION_ID
to the folder
FOLDER_ID
:
gcloud beta compute org-security-policies move policy-1 \ --organization ORGANIZATION_ID \ --folder FOLDER_ID
Delete a hierarchical security policy
Before you can delete a hierarchical security policy,
you must first delete all associations that the policy has to resource hierarchy
nodes. In the following example, you use the
beta compute org-security-policies associations delete
command to remove
the association named ASSOCIATION_NAME
between the
hierarchical security policy with the name POLICY_NAME
and the organization ORGANIZATION_ID
:
gcloud beta compute org-security-policies associations delete ASSOCIATION_NAME \ --security-policy=POLICY_NAME \ --organization=ORGANIZATION_ID
If this isn't the only association that the security policy has, repeat the
previous step for each association. When the hierarchical security policy has no
associations, you can delete it by using the
compute org-security-policies delete
command, like in the following example:
gcloud beta compute org-security-policies delete POLICY_NAME \ --organization=ORGANIZATION_ID
View all effective Google Cloud Armor rules for a protected resource
You can view all of the Google Cloud Armor security policy rules that apply to
a protected resource by using the
gcloud beta compute backend-services get-effective-security-policies
command. In the
following example, replace RESOURCE_NAME
with the name
of the protected resource that you want to check:
gcloud beta compute backend-services get-effective-security-policies PROTECTED_RESOURCE
Use cases
The following sections describe use cases for hierarchical security policies.
Deny traffic from a set of IP addresses to all Application Load Balancers in your organization
You can use hierarchical security policies to manage a list of IP addresses that aren't
allowed to access your entire organization network, or to
deny traffic from a specific region or country. This can help you address
company-specific security concerns or help you maintain compliance. The
following steps show you how to create an organization-level
hierarchical security policy that denies traffic from IP address range
192.0.2.0/24
:
Create a hierarchical security policy called
org-level-deny-ip-policy
, attached to an organization with ID 1000000001:gcloud beta compute org-security-policies create \ --organization=1000000001 \ --type=CLOUD_ARMOR \ --description= "this is an org policy to deny a set of IP addresses for all resources" \ --short-name=org-level-deny-ip-policy
Add a rule at priority
1000
with a match condition for the IP address range192.0.2.0/24
and adeny
action:gcloud beta compute org-security-policies rules create 1000 \ --action=deny \ --security-policy=org-level-deny-ip-policy \ --organization=1000000001 \ --description "Deny traffic from 192.0.2.0/24" \ --src-ip-ranges "192.0.2.0/24"
Finally, associate the security policy with the organization, denying requests from the
192.0.2.0/24
IP address to all services in the organization:gcloud beta compute org-security-policies associations create \ --security-policy=org-level-deny-ip-policy \ --organization=ORGANIZATION_ID
Grant a set of source IP addresses access to some projects within your organization
You can grant access to some projects within your organization to an IP address
or to several IP addresses. You might want to do this if you have a trusted
upstream proxy that you want to exclude from rule evaluation for only some of
your projects. In the following Cloud CDN-based example, you use a
folder-level hierarchical security policy to grant the IP address range
192.0.2.0/24
access to projects named project-1
, project-2
, and
project-3
in organization 10000001
:
Use the following commands to move
project-1
,project-2
, andproject-3
into a folder with ID20000002
:gcloud projects move project-1 --folder=20000002 gcloud projects move project-2 --folder=20000002 gcloud projects move project-3 --folder=20000002
Use the following command to create a security policy named
org-level-proxy-filtering
:gcloud beta compute org-security-policies create \ --folder=20000002 \ --type=CLOUD_ARMOR \ --short-name=org-level-proxy-filtering
Add a rule at priority
1000
with a match condition for the IP address range192.0.2.0/24
and agoto_next
rule action. If a request matches this condition, Google Cloud Armor stops evaluating rules within this security policy:gcloud beta compute org-security-policies rules create 1000 \ --action=goto_next \ --security-policy=org-level-proxy-filtering \ --organization=10000001 \ --src-ip-ranges="192.0.2.0/24"
Optional: If you want to apply security policy rules to these projects for requests that aren't from
192.0.2.0/24
, add more rules at a priority lower than1000
. You can perform this step later.Use the following command to associate the policy to the folder with ID
20000002
, which you moved the projects to in step 1:gcloud beta compute org-security-policies associations create \ --security-policy=org-level-proxy-filtering \ --folder=20000002