Stay organized with collections Save and categorize content based on your preferences.
If you are a new customer, Google Cloud automatically provisions an organization resource for your domain in the following scenarios:
This organization resource's default configuration, characterized by unrestricted access, can make the infrastructure susceptible to security breaches. For example, default service account key creation is a critical vulnerability exposing systems to potential breaches.
With the secure-by-default organization policy enforcements, insecure postures are addressed with a bundle of organization policies that are enforced at the time of creation of an organization resource. Examples of these enforcements include disabling service account key creation and disabling service account key upload.
When an existing user creates an organization, the security posture for the new organization resource might be different from the existing organization resources. Secure-by-default organization policies are enforced for all organizations created on or after May 3, 2024. Some organizations created between February 2024 and April 2024 might also have these default policy enforcements set. To view organization policies applied to your organization, see Viewing organization policies.
As an administrator, following are the scenarios where these organization policy enforcements are applied automatically:
The Identity and Access Management role roles/orgpolicy.policyAdmin enables an administrator to manage organization policies. You must be an organization policy administrator to change or override organization policies. To grant the role, run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION --member=PRINCIPAL --role=ROLE
Replace the following:
ORGANIZATION: Unique identifier of your organization.PRINCIPAL: The principal to add the binding for. This should be of the form user|group|serviceAccount:email or domain:domain. For example, user:222larabrown@gmail.com.ROLE: Role to grant to the principal. Use the complete path of a predefined role. In this case, it should be roles/orgpolicy.policyAdmin.The following table lists the organization policy constraints that are automatically enforced when you create an organization resource.
Organization policy name Organization policy constraint Description Impact of enforcement Disable service account key creationconstraints/iam.disableServiceAccountKeyCreation Prevent users from creating persistent keys for service accounts. For information about managing service account keys, see Provide alternatives to creating service account keys. Reduces the risk of exposed service account credentials. Disable service account key upload constraints/iam.disableServiceAccountKeyUpload Prevent the upload of external public keys to service accounts. For information about accessing resources without service account keys, see these best practices. Reduces the risk of exposed service account credentials. Disable automatic role grants to default service accounts constraints/iam.automaticIamGrantsForDefaultServiceAccounts Prevent default service accounts from receiving the overly permissive IAM role Editor at creation. The Editor role allows the service account to create and delete resources for most Google Cloud services, which creates a vulnerability if the service account gets compromised. Restrict identities by domain constraints/iam.allowedPolicyMemberDomains Limit resource sharing to identities that belong to a particular organization resource. Leaving the organization resource open to access by actors with domains other than the customer's own creates a vulnerability. Restrict contacts by domain constraints/essentialcontacts.allowedContactDomains Limit Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. A bad actor with a different domain might get added as Essential Contacts, leading to a compromised security posture. Uniform bucket-level access constraints/storage.uniformBucketLevelAccess Prevent Cloud Storage buckets from using per-object ACL (a separate system from allow and deny policies) to provide access. Enforces consistency for access management and auditing. Use zonal DNS by default constraints/compute.setNewProjectDefaultToZonalDNSOnly Set restrictions where application developers cannot choose global DNS settings for Compute Engine instances. Global DNS settings have lower service reliability than zonal DNS settings. Restrict protocol forwarding based on type of IP address constraints/compute.restrictProtocolForwardingCreationForTypes Restrict the configuration of protocol forwarding for internal IP addresses only. Protects target instances from exposure to external traffic. Note: For some organizations created after August 15, 2024, the constraints/compute.restrictProtocolForwardingCreationForTypes organization policy constraint might already be applied. Manage enforcement of organization policies
You can manage the enforcement of organization policies in the following ways:
List organization policiesTo check whether the secure-by-default organization policies are enforced on your organization, use the following command:
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID with the unique identifier of your organization.
To disable or delete an organization policy, run the following command:
gcloud org-policies delete CONSTRAINT_NAME --organization=ORGANIZATION_ID
Replace the following:
CONSTRAINT_NAME is the name of the organization policy constraint you want to delete. An example is iam.allowedPolicyMemberDomains.ORGANIZATION_ID is the unique identifier of your organization.To add or update values for an organization policy, you need to store the values in a YAML file. An example of what the contents of this file can look like:
{
"name": "organizations/ORG_ID/policies/CONSTRAINT_NAME",
"spec": {
"rules": [
{
"values": {
"allowedValues": ["VALUE_A"]
}
}
]
}
}
To add or update these values listed in the YAML file, run the following command:
gcloud org-policies set-policy POLICY_FILE
Replace POLICY_FILE with the path to the YAML file that contains the values of the organization policy.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5