Managing secure-by-default organization resources

If you are a new customer, Google Cloud automatically provisions an organization resource for your domain in the following scenarios:

  • A user from your domain logs in for the first time.
  • A user creates a billing account that does not have an associated organization resource.

This organization resource's default configuration, characterized by unrestricted access, can make the infrastructure susceptible to security breaches. For example, default service account key creation is a critical vulnerability exposing systems to potential breaches.

With the secure-by-default organization policy enforcements, insecure postures are addressed with a bundle of organization policies that are enforced at the time of creation of an organization resource. Examples of these enforcements include disabling service account key creation and disabling service account key upload.

When an existing user creates an organization, the security posture for the new organization resource might be different from the existing organization resources. Secure-by-default organization policies are enforced for all organizations created on or after May 3, 2024. Some organizations created between February 2024 and April 2024 might also have these default policy enforcements set. To view organization policies applied to your organization, see Viewing organization policies.

As an administrator, following are the scenarios where these organization policy enforcements are applied automatically:

  • Google Workspace or Cloud Identity account: When you have a Google Workspace or Cloud Identity account, an organization resource is created that is associated with your domain. The secure-by-default organization policies are enforced automatically on the organization resource.
  • Billing account creation: If the billing account you create is not associated with an organization resource, then an organization resource is automatically created. The secure-by-default organization policies are enforced on the organization resource. This scenario works on both the Google Cloud console and gcloud CLI.

Required permissions

The Identity and Access Management role roles/orgpolicy.policyAdmin enables an administrator to manage organization policies. You must be an organization policy administrator to change or override organization policies. To grant the role, run the following command:

gcloud organizations add-iam-policy-binding ORGANIZATION --member=PRINCIPAL --role=ROLE

Replace the following:

  • ORGANIZATION: Unique identifier of your organization.
  • PRINCIPAL: The principal to add the binding for. This should be of the form user|group|serviceAccount:email or domain:domain. For example, user:222larabrown@gmail.com.
  • ROLE: Role to grant to the principal. Use the complete path of a predefined role. In this case, it should be roles/orgpolicy.policyAdmin.

Organization policies enforced on organization resources

The following table lists the organization policy constraints that are automatically enforced when you create an organization resource.

Organization policy name Organization policy constraint Description Impact of enforcement
Disable service account key creation constraints/iam.disableServiceAccountKeyCreation Prevent users from creating persistent keys for service accounts. For information about managing service account keys, see Provide alternatives to creating service account keys. Reduces the risk of exposed service account credentials.
Disable service account key upload constraints/iam.disableServiceAccountKeyUpload Prevent the upload of external public keys to service accounts. For information about accessing resources without service account keys, see these best practices. Reduces the risk of exposed service account credentials.
Disable automatic role grants to default service accounts constraints/iam.automaticIamGrantsForDefaultServiceAccounts Prevent default service accounts from receiving the overly permissive IAM role Editor at creation. The Editor role allows the service account to create and delete resources for most Google Cloud services, which creates a vulnerability if the service account gets compromised.
Restrict identities by domain constraints/iam.allowedPolicyMemberDomains Limit resource sharing to identities that belong to a particular organization resource. Leaving the organization resource open to access by actors with domains other than the customer's own creates a vulnerability.
Restrict contacts by domain constraints/essentialcontacts.allowedContactDomains Limit Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. A bad actor with a different domain might get added as Essential Contacts, leading to a compromised security posture.
Uniform bucket-level access constraints/storage.uniformBucketLevelAccess Prevent Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access. Enforces consistency for access management and auditing.
Use zonal DNS by default constraints/compute.setNewProjectDefaultToZonalDNSOnly Set restrictions where application developers cannot choose global DNS settings for Compute Engine instances. Global DNS settings have lower service reliability than zonal DNS settings.
Restrict protocol forwarding based on type of IP address constraints/compute.restrictProtocolForwardingCreationForTypes Restrict the configuration of protocol forwarding for internal IP addresses only. Protects target instances from exposure to external traffic.

Manage enforcement of organization policies

You can manage the enforcement of organization policies in the following ways:

List organization policies

To check whether the secure-by-default organization policies are enforced on your organization, use the following command:

gcloud resource-manager org-policies list --organization=ORGANIZATION_ID

Replace ORGANIZATION_ID with the unique identifier of your organization.

Disable organization policies

To disable or delete an organization policy, run the following command:

gcloud org-policies delete CONSTRAINT_NAME --organization=ORGANIZATION_ID

Replace the following:

  • CONSTRAINT_NAME is the name of the organization policy constraint you want to delete. An example is iam.allowedPolicyMemberDomains.
  • ORGANIZATION_ID is the unique identifier of your organization.

Add or update values for an organization policy

To add or update values for an organization policy, you need to store the values in a YAML file. An example of what the contents of this file can look like:

{
  "name": "organizations/ORG_ID/policies/CONSTRAINT_NAME",
  "spec": {
    "rules": [
      {
        "values": {
            "allowedValues": ["VALUE_A"]
        }
      }
    ]
  }
}

To add or update these values listed in the YAML file, run the following command:

gcloud org-policies set-policy POLICY_FILE

Replace POLICY_FILE with the path to the YAML file that contains the values of the organization policy.