This topic describes the restrictions, limitations, and other configuration options when using Sovereign Controls by Partners.
Overview
Sovereign Controls by Partners provides data residency and data sovereignty features for in-scope Google Cloud services. To provide these features, some of these services' features are restricted or limited. Most of these changes are applied during the onboarding process when your organization becomes managed by a partner, however some of them can be changed later by modifying organization policies.
It's important to understand how these restrictions modify the behavior for a given Google Cloud service or affect data sovereignty or data residency. For example, some features or capabilities may be automatically disabled to ensure that data sovereignty and data residency are maintained. Additionally, if an organization policy setting is changed, it might have the unintended consequence of copying data from one region to another.
Supported products and services
See the Supported products page for a list of supported products and services.
Organization policies
This section describes how each service is affected by the default organization policy constraint values when folders or projects are created using Sovereign Controls by Partners. Other applicable constraints — even if not set by default — can provide additional "defense-in-depth" to further protect your organization's Google Cloud resources.
Cloud-wide organization policy constraints
The following organization policy constraints apply across any applicable Google Cloud service.
| Organization Policy Constraint | Description |
|---|---|
gcp.resourceLocations |
Set to the partner-supported region, such as
in:europe-west9-locations or
in:eu-locations as the allowedValues
list item.This value restricts creation of any new resources to the selected value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See the Organization policy value groups documentation for more information. |
gcp.restrictNonCmekServices |
Set to a list of all in-scope
API service names,
including:
Each listed service requires Customer-managed encryption keys (CMEK). CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms. Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, as new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided. |
gcp.restrictCmekCryptoKeyProjects |
Set to under:organizations/your-organization-name, which
is your Sovereign Controls by Partners organization. You can further restrict this
value by specifying a project or folder.Limits the scope of approved folders or projects that can provide KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data. |
Compute Engine organization policy constraints
| Organization Policy Constraint | Description |
|---|---|
compute.enableComplianceMemoryProtection |
Set to True. Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs. Changing this value may affect your data residency or data sovereignty. |
compute.disableSerialPortLogging
| Set to True. Disables serial port logging to Stackdriver from Compute Engine VMs in the folder or project where the constraint is enforced. Changing this value may affect your data residency or data sovereignty. |
compute.disableInstanceDataAccessApis
| Set to True. Globally disables the instances.getSerialPortOutput() and
instances.getScreenshot() APIs. |
compute.restrictNonConfidentialComputing |
(Optional) Value is not set. Set this value to provide additional
defense-in-depth. See the
Confidential VM documentation
for more information. |
compute.trustedImageProjects |
(Optional) Value is not set. Set this value to provide additional
defense-in-depth.
Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents. |
Cloud Storage organization policy constraints
| Organization Policy Constraint | Description |
|---|---|
storage.uniformBucketLevelAccess |
Set to True. Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs). This constraint provides fine-grained permissions for buckets and their contents. If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs. |
storage.restrictAuthTypes |
Set to prevent authentication using hash-based message authentication code
(HMAC). The following two HMAC types are specified in this constraint
value:
Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value. |
Google Kubernetes Engine organization policy constraints
| Organization Policy Constraint | Description |
|---|---|
container.restrictNoncompliantDiagnosticDataAccess |
Set to True. Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value. |
Cloud Key Management Service organization policy constraints
| Organization Policy Constraint | Description |
|---|---|
cloudkms.allowedProtectionLevels |
Set to EXTERNAL and EXTERNAL_VPC.Restricts the Cloud Key Management Service CryptoKey types that may be created, and is set to allow only EXTERNAL and EXTERNAL_VPC
key types.
|
Impacted features
This section lists how each service's features or capabilities are impacted by Sovereign Controls by Partners.
BigQuery features
| Feature | Description |
|---|---|
| Enabling BigQuery on a new folder | BigQuery is supported, but it isn't automatically enabled when you create a new
Assured Workloads folder due to an internal configuration process. This process normally
finishes in ten minutes, but can take much longer in some circumstances. To check whether the
process is finished and to enable BigQuery, complete following steps:
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder. |
| Unsupported features | The following BigQuery features are not supported and should
not be used in the BigQuery CLI. It is the your responsibility
not to use them in BigQuery for Sovereign Controls by Partners.
|
| Unsupported integrations | The following BigQuery integrations are not supported. It is
your responsibility not to use them with BigQuery for
Sovereign Controls by Partners.
|
| Supported BigQuery APIs | The following BigQuery APIs are supported:
|
| Regions | BigQuery is supported for all BigQuery EU
regions except the EU multi-region. Compliance cannot be guaranteed
if a dataset is created in an EU multi-region, non-EU region, or non-EU
multi-region. It is your responsibility to specify a compliant region when
creating BigQuery datasets. If a table data list request is sent using one EU region but the dataset was created in another EU region, BigQuery cannot infer which region you intended and the operation will fail with a "dataset not found" error message. |
| Google Cloud console | The BigQuery user interface in the Google Cloud console is
supported.
|
| BigQuery CLI | The BigQuery CLI is supported.
|
| Google Cloud SDK | You must use Google Cloud SDK version 403.0.0 or newer to maintain data
regionalization guarantees for technical data. To verify
your current Google Cloud SDK version, run gcloud --version, and
then gcloud components update to update to the newest version.
|
| Administrator controls | BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard. |
| Loading data | BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Sovereign Controls by Partners workloads. |
| Third-party transfers | BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service. |
| Non-compliant BQML models | Externally-trained BQML models are not supported. |
| Query jobs | Query jobs with should only be created within Sovereign Controls by Partners folders. |
| Queries on datasets in other projects | BigQuery does not prevent Sovereign Controls by Partners datasets from being
queried from non-Sovereign Controls by Partners projects. You should ensure that any query
that has a read or a join on Sovereign Controls by Partners data be placed in a
Sovereign Controls by Partners folder. You can specify a
fully-qualified
table name for their query result using projectname.dataset.table
in the BigQuery CLI. |
| Cloud Logging | BigQuery utilizes Cloud Logging for some of your log data.
You should disable your _default logging buckets or restrict
_default buckets to EU regions to maintain compliance using
the following command:gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sinkSee this page for more information. |
Bigtable features
| Feature | Description |
|---|---|
| Split boundaries | Bigtable uses a small subset of row keys to define split
boundaries, which may include customer data and metadata. A split boundary
in Bigtable denotes the location where contiguous ranges of rows
in a table are split into tablets. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners. |
Spanner features
| Feature | Description |
|---|---|
| Split boundaries | Spanner uses a small subset of primary keys and indexed
columns to define
split
boundaries, which may include customer data and metadata. A split
boundary in Spanner denotes the location where contiguous ranges
of rows are split into smaller pieces. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners. |
Cloud SQL features
| Feature | Description |
|---|---|
| Query insights | When deploying a Cloud SQL instance, Query insights can only be used if application tags are not enabled. If application tags are enabled, you will receive an error message when attempting to use Query insights. |
Compute Engine features
| Feature | Description |
|---|---|
| Suspending and resuming a VM instance | This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices org
policy constraint in the section above to understand the data sovereignty
and data residency implications of enabling this feature.
|
| Local SSDs | This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices org
policy constraint in the section above to understand the data sovereignty
and data residency implications of enabling this feature.
|
| Viewing serial port output | This feature is disabled; you will be unable to view the output
either programmatically or via Cloud Logging. Change the compute.disableSerialPortLogging organization
policy constraint value to False to enable serial port output.
|
| Guest environment |
It is possible for scripts, daemons, and binaries that are included with
the guest environment to access unencrypted at-rest and in-use data.
Depending on your VM configuration, updates to this software may be
installed by default. See
Guest environment for specific information about
each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, for customers who want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects
organization policy constraint.
See the Building a custom image topic for more information. |
instances.getSerialPortOutput() |
This API is disabled; you will be unable to get serial port output
from the specified instance using this API. Change the compute.disableInstanceDataAccessApis organization
policy constraint value to False to enable this API. You can also
enable and use the interactive serial port by following the instructions in
this topic.
|
instances.getScreenshot() |
This API is disabled; you will be unable to get a screenshot from the
specified instance using this API. Change the compute.disableInstanceDataAccessApis organization
policy constraint value to False to enable this API. You can also
enable and use the interactive serial port by following the instructions in
this topic.
|
Dataproc features
| Feature | Description |
|---|---|
| Google Cloud console | Dataproc does not currently support the Jurisdictional Google Cloud console. To enforce data residency, ensure that you use either the Google Cloud CLI or the API when using Dataproc. |
GKE features
| Feature | Description |
|---|---|
| Cluster resource restrictions | Ensure that your cluster configuration does not use resources for
services that are unsupported in Sovereign Controls by Partners. For example, the
following configuration is invalid because it requires enabling or using
an unsupported service:
set `binaryAuthorization.evaluationMode` to `enabled`
|
Cloud Logging features
Required additional Cloud Logging configuration for CMEK
To use Cloud Logging with Customer-Managed Encryption Keys (CMEK), you must complete the steps in the Enable CMEK for an organization topic in the Cloud Logging documentation.
Impacted Cloud Logging features
| Feature | Description |
|---|---|
| Log sinks | Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data. |
| Live tailing log entries | Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data. |
| Log-based alerts | This feature is disabled. You cannot create log-based alerts in the Google Cloud console. |
| Shortened URLs for Logs Explorer queries | This feature is disabled. You cannot create shortened URLs of queries in the Google Cloud console. |
| Saving queries in Logs Explorer | This feature is disabled. You cannot save any queries in the Google Cloud console. |
| Log Analytics using BigQuery | This feature is disabled. You cannot use the Log Analytics feature. |