Stay organized with collections
Save and categorize content based on your preferences.
Key concepts
Assured Workloads provides Google Cloud users with the ability to
apply controls to a folder in
support of regulatory, regional, or sovereign requirements. This
page provides information about its key components.
Assured Workloads folders
An Assured Workloads folder is the top-level regulatory boundary for
your workloads. Each Assured Workloads folder is configured with (and
actively enforces) controls that meet the selected
control package's regulatory
requirements. Assured Workloads folders are also the container for your
resources that must adhere to those requirements, such as projects that contain
your workloads. Assured Workloads folders and their resources are
constantly monitored for adherence to
compliance requirements.
For example, if you need to meet the regulatory requirements for Impact Level 4
(IL4), you would
create an Assured Workloads folder
for IL4, and then create or migrate
projects and resources to that Assured Workloads folder. Inside the
folder, those projects will be configured to enforce IL4's regulatory
requirements, and you will be notified if any resources fall out of compliance.
To ensure that all of your organization's resources are compliant with a
specific control package, you can create an Assured Workloads folder
as the parent for all of your other folders, projects, and resources. By making
the top-level folder an Assured Workloads folder, its controls will
be inherited by all child resources in the
Google Cloud resource hierarchy.
For more information, see
How to set compliance controls for your Google Cloud organization.
Assured Workloads key management project
Depending on the control package you select, Assured Workloads can
also create a key management project inside the Assured Workloads
folder to store your CMEK encryption keys. Having one project for keys and
another for resources establishes
separation of duties between security
administrators and developers.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eAssured Workloads enables Google Cloud users to apply controls to folders, helping meet regulatory, regional, or sovereign requirements.\u003c/p\u003e\n"],["\u003cp\u003eAn Assured Workloads folder serves as the primary regulatory boundary, enforcing controls from a chosen control package and housing compliant resources.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads folders and their resources are continuously monitored to ensure adherence to the specified compliance requirements.\u003c/p\u003e\n"],["\u003cp\u003eBy creating an Assured Workloads folder as the top-level parent, its controls are inherited by all child resources in the Google Cloud hierarchy.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads can generate a separate key management project within the folder to store CMEK encryption keys, ensuring separation of duties between security administrators and developers.\u003c/p\u003e\n"]]],[],null,["# Key concepts\n============\n\nAssured Workloads provides Google Cloud users with the ability to\n[apply controls](/assured-workloads/docs/control-packages) to a folder in\nsupport of regulatory, regional, or sovereign requirements. This\npage provides information about its key components.\n\nAssured Workloads folders\n-------------------------\n\nAn Assured Workloads folder is the top-level regulatory boundary for\nyour workloads. Each Assured Workloads folder is configured with (and\nactively enforces) controls that meet the selected\n[control package's](/assured-workloads/docs/control-packages) regulatory\nrequirements. Assured Workloads folders are also the container for your\nresources that must adhere to those requirements, such as projects that contain\nyour workloads. Assured Workloads folders and their resources are\nconstantly [monitored](/assured-workloads/docs/monitor-folder) for adherence to\ncompliance requirements.\n\nFor example, if you need to meet the regulatory requirements for Impact Level 4\n(IL4), you would\n[create an Assured Workloads folder](/assured-workloads/docs/create-folder)\nfor IL4, and then create or [migrate](/assured-workloads/docs/migrate-workload)\nprojects and resources to that Assured Workloads folder. Inside the\nfolder, those projects will be configured to enforce IL4's regulatory\nrequirements, and you will be notified if any resources fall out of compliance.\n\nTo ensure that all of your organization's resources are compliant with a\nspecific control package, you can create an Assured Workloads folder\nas the parent for all of your other folders, projects, and resources. By making\nthe top-level folder an Assured Workloads folder, its controls will\nbe inherited by all child resources in the\n[Google Cloud resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy).\nFor more information, see\n[How to set compliance controls for your Google Cloud organization](/blog/products/identity-security/how-to-set-compliance-controls-for-your-google-cloud-organization).\n| **Note:** Any Assured Workloads environment created before the introduction of Assured Workloads folders continues to be supported. Although it is not required, we recommend that you migrate to Assured Workloads folders if it is possible to do so.\n\nAssured Workloads key management project\n----------------------------------------\n\nDepending on the control package you select, Assured Workloads can\nalso create a **key management project** inside the Assured Workloads\nfolder to store your CMEK encryption keys. Having one project for keys and\nanother for resources establishes\n[separation of duties](/kms/docs/separation-of-duties) between security\nadministrators and developers.\n\nWhat's next\n-----------\n\n- Learn how to [create an Assured Workloads folder](/assured-workloads/docs/create-folder).\n- Learn which [products are supported](/assured-workloads/docs/supported-products) for each control package.\n- Learn how to [migrate a workload](/assured-workloads/docs/migrate-workload)."]]
