Kingdom of Saudi Arabia (KSA) Data Boundary with Access Justifications

This page describes the set of controls that are applied on KSA Data Boundary with Access Justifications workloads in Assured Workloads. It provides detailed information about data residency, supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products.

The following additional information applies to KSA Data Boundary with Access Justifications:

• Data residency: The KSA Data Boundary with Access Justifications control package sets data location controls to support KSA-only regions. For more information, see the Google Cloud-wide organization policy constraints section.
• Support: Technical support services for KSA Data Boundary with Access Justifications workloads are available with Standard, Enhanced, or Premium Cloud Customer Care subscriptions. KSA Data Boundary with Access Justifications workloads support cases are routed to global support personnel. For more information, see Getting support.
• Pricing: The KSA Data Boundary with Access Justifications control package is included in Assured Workloads' Free tier, which incurs no additional charges. For more information, see Assured Workloads pricing.

Prerequisites

Verify that you meet and have completed the following prerequisites before deploying workloads to KSA Data Boundary with Access Justifications:

• Create an KSA Data Boundary with Access Justifications folder using Assured Workloads and deploy your workloads only in that folder.
• Don't change the default organization policy constraint values unless you understand and are willing to accept the data residency risks that might occur.
• When accessing the Google Cloud console for KSA Data Boundary with Access Justifications workloads, you must use one of the following KSA-specific Jurisdictional Google Cloud console URLs:
  • console.sa.cloud.google.com
  • console.sa.cloud.google for federated identity users
• Use only the specified regional endpoints for services that offer them. For more information, see in-scope KSA Data Boundary with Access Justifications services.
• Consider adopting the general security best practices provided in the Google Cloud security best practices center.

Supported products and API endpoints

Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.

If a product is not listed, that product is unsupported and has not met the control requirements for KSA Data Boundary with Access Justifications. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model. Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

Restrictions and limitations

The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on KSA Data Boundary with Access Justifications folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.

Google Cloud-wide

Affected Google Cloud-wide features

Feature	Description
Google Cloud console	To access the Google Cloud console when using the KSA Data Boundary with Access Justifications control package, you must use one of the following URLs: console.me.cloud.google.com console.me.cloud.google for federated identity users For more information, see the Jurisdictional Google Cloud console page.

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across Google Cloud.

Organization policy constraint	Description
gcp.resourceLocations	Set to the following locations in the allowedValues list: me-central2 This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable. Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
gcp.restrictNonCmekServices	Set to a list of all in-scope API service names, including: bigquerydatatransfer.googleapis.com Some features may be affected for each of the services listed above. Each listed service requires Customer-managed encryption keys (CMEK). CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms. Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
gcp.restrictServiceUsage	Set to allow all supported products and API endpoints. Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage.
gcp.restrictTLSVersion	Set to deny the following TLS versions: TLS_1_0 TLS_1_1 See the Restrict TLS versions page for more information.

Bigtable

Affected Bigtable features

Feature	Description
Data Boost	This feature is disabled.

Cloud Interconnect

Affected Cloud Interconnect features

Feature	Description
High-availability (HA) VPN	You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Affected Cloud VPN features section.

Cloud Monitoring

Affected Cloud Monitoring features

Feature	Description
Synthetic Monitor	This feature is disabled.
Uptime checks	This feature is disabled.
Log panel widgets in Dashboards	This feature is disabled. You cannot add a log panel to a dashboard.
Error reporting panel widgets in Dashboards	This feature is disabled. You cannot add an error reporting panel to a dashboard.
Filter in EventAnnotation for Dashboards	This feature is disabled. Filter of EventAnnotation cannot be set in a dashboard.
SqlCondition in alertPolicies	This feature is disabled. You cannot add a SqlCondition to an alertPolicy.

Cloud Run

Affected Cloud Run features

Feature	Description
Unsupported features	The following Cloud Run features aren't supported: Cloud Trace integration Cloud Run functions Eventarc triggers

Cloud SQL

Cloud SQL organization policy constraints

Organization policy constraint	Description
sql.restrictNoncompliantDiagnosticDataAccess	Set to True. Applies additional data sovereignty and supportability controls to Cloud SQL resources. Changing this value might affect your workload's data residency or data sovereignty.
sql.restrictNoncompliantResourceCreation	Set to True. Applies additional data sovereignty controls to prevent creation of non-compliant Cloud SQL resources. Changing this value might affect your workload's data residency or data sovereignty.

Cloud Storage

Affected Cloud Storage features

Feature	Description
Google Cloud console	It is your responsibility to use the Jurisdictional Google Cloud console for KSA Data Boundary with Access Justifications. The Jurisdictional console prevents uploading and downloading Cloud Storage objects. To upload and download Cloud Storage objects, see the following Compliant API endpoints row.
Compliant API endpoints	It is your responsibility to use one of the in-scope regional endpoints with Cloud Storage. For more information, see Cloud Storage locations.

Cloud Storage organization policy constraints

Organization policy constraint	Description
storage.restrictAuthTypes	Set to prevent authentication using hash-based message authentication code (HMAC). The following types are specified in this constraint value: USER_ACCOUNT_HMAC_SIGNED_REQUESTS SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS By default, HMAC keys are prevented from authenticating to Cloud Storage resources for KSA Data Boundary with Access Justifications workloads. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See HMAC keys in the Cloud Storage docs. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.
storage.uniformBucketLevelAccess	Set to True. Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs). This constraint provides fine-grained permissions for buckets and their contents. If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.

Cloud VPN

Affected Cloud VPN features

Feature	Description
Google Cloud console	Cloud VPN features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.
VPN endpoints	You must use only Cloud VPN endpoints that are located in an in-scope region. Ensure that your VPN gateway is configured for use in an in-scope region only.

Compute Engine

Affected Compute Engine features

Feature	Description
Suspending and resuming a VM instance	This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Local SSDs	This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Google Cloud console	The following Compute Engine features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead: Health checks Network endpoint groups
Adding an instance group to a global load balancer	You cannot add an instance group to a global load balancer. This feature is disabled by the compute.disableGlobalLoadBalancing organization policy constraint.
Suspending and resuming a VM instance	This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot be encrypted using CMEK. This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
Local SSDs	This feature is disabled. You will be unable to create an instance with Local SSDs because they cannot be encrypted using CMEK. This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
Guest environment	It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint. See the Building a custom image page for more information.
OS policies in VM Manager	Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Don't include any sensitive information in these files. Consider storing these scripts and output files in Cloud Storage buckets. For more information, see Example OS policies. If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint. For more information, see Constraints for OS Config.
instances.getSerialPortOutput()	This API is disabled; you will be unable to get serial port output from the specified instance using this API. Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.
instances.getScreenshot()	This API is disabled; you will be unable to get a screenshot from the specified instance using this API. Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.

Compute Engine organization policy constraints

Organization policy constraint	Description
compute.enableComplianceMemoryProtection	Set to True. Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs. Changing this value may affect your workload's data residency or data sovereignty.
compute.disableGlobalCloudArmorPolicy	Set to True. Disables the creation of new global Google Cloud Armor security policies, and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.
compute.disableGlobalLoadBalancing	Set to True. Disables creation of global load balancing products. Changing this value may affect your workload's data residency or data sovereignty.
compute.disableInstanceDataAccessApis	Set to True. Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs. Enabling this constraint prevents you from generating credentials on Windows Server VMs. If you need to manage a username and password on a Windows VM, do the following: Enable SSH for Windows VMs. Run the following command to change the VM's password: gcloud compute ssh VM_NAME --command "net user USERNAME PASSWORD" Replace the following: VM_NAME: The name of the VM you're setting the password for. USERNAME: The username of the user who you're setting the password for. PASSWORD: The new password.
compute.disableSshInBrowser	Set to True. Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs. Changing this value may affect your workload's data residency or data sovereignty.
compute.restrictNonConfidentialComputing	(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.
compute.trustedImageProjects	(Optional) Value is not set. Set this value to provide additional defense-in-depth. Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

Dataplex Universal Catalog

Dataplex Universal Catalog features

Feature	Description
Aspects and glossaries metadata	Aspects and glossaries and are not supported. You can't search for or manage aspects and glossaries, nor can you import custom metadata.
Attribute Store	This feature is deprecated and disabled.
Data Catalog	This feature is deprecated and disabled. You cannot search through nor manage your metadata in Data Catalog.
Data Quality and Data Profile Scan	Export of Data Quality Scan results is not supported.
Discovery	This feature is disabled. You cannot run the Discovery scans to extract metadata from your data.
Lakes and Zones	This feature is disabled. You cannot manage lakes, zones and tasks.

Google Cloud Armor

Affected Google Cloud Armor features

Feature	Description
Globally scoped security policies	This feature is disabled by the compute.disableGlobalCloudArmorPolicy organization policy constraint.

Google Kubernetes Engine

Google Kubernetes Engine organization policy constraints

Organization policy constraint	Description
container.restrictNoncompliantDiagnosticDataAccess	Set to True. Disables aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect your workload's data residency or data sovereignty.

Pub/Sub

Pub/Sub organization policy constraints

Organization policy constraint	Description
pubsub.enforceInTransitRegions	Set to True. Ensures that Customer Data transits only within the allowed regions specified in the message storage policy for the Pub/Sub topic. Changing this value might affect your workload's data residency or data sovereignty.
pubsub.managed.disableTopicMessageTransforms	Set to True. Disables Pub/Sub topics from being set with Single Message Transforms (SMTs). Changing this value might affect your workload's data residency or data sovereignty.
pubsub.managed.disableSubscriptionMessageTransforms	Set to True. Disables Pub/Sub subscriptions from being set with Single Message Transforms (SMTs). Changing this value might affect your workload's data residency or data sovereignty.

Spanner

Spanner organization policy constraints

Organization policy constraint	Description
spanner.assuredWorkloadsAdvancedServiceControls	Set to True. Applies additional data sovereignty and supportability controls to Spanner resources.
spanner.disableMultiRegionInstanceIfNoLocationSelected	Set to True. Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.

What's next

• Learn how to create an Assured Workloads folder
• Understand Assured Workloads pricing