Introducing stronger default Org Policies for our customers

Google Cloud strives to make good security outcomes easier for customers to achieve. As part of this continued effort, we are releasing an updated and stronger set of security defaults that are automatically implemented for new customers.

Google Cloud customers with a verified domain receive an organization resource, which is used as the root of the resource hierarchy and to provide scalable controls to your cloud environment through the use of the Organization Policy Service.

With the release of secure-by-default organization resources, potentially insecure postures and outcomes are addressed with a bundle of organization policies that are enforced as soon as a new organization resource is created. Existing organization resources are not impacted by this change. These changes are part of the ongoing efforts to make it easier for customers to start with security best practices from the beginning of their cloud adoption.

How stronger defaults can help keep environments more secure

The organization policies we enforce broadly span Identity and Access Management, Storage, and Essential Contacts.

Identity and Access Management constraints
Changes to default organization policy constraints for IAM enforce additional security policies for service accounts and restricting domain sharing. These constraints include:

Storage constraint
The new default organization policy constraint for storage enforces uniform bucket-level access (storage.uniformBucketLevelAccess). This constraint prevents Cloud Storage buckets from using per-object ACLs (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing.

Essential Contacts constraint
The new default policy constraint for Essential Contacts limits contacts to only allow managed user identities in customer selected domain(s) to receive platform notifications (essentialcontacts.allowedContactDomains). This constraint helps ensure that important notifications from the platform can only be sent to users in selected domain(s).

Modify default organization policies

You might choose to modify or disable these security settings enforced by default organization policies. For example, you might have a workload that can only authenticate with service account keys and cannot use any of the more secure authentication methods. In this case, we recommend that you modify the policy as narrowly as possible to grant an exception to the relevant projects.

Getting started with Organization Policy Service

These default Organization Policy Service constraints can be a powerful and easy-to-use way for platform administrators to provide more secure access to cloud resources in a least privileged manner.

Related posts

How generative AI is transforming the customer service experience

by Cloud Ace Indonesia
12 months ago

How Dataplex can improve data auditing, security, and access management

by Cloud Ace Indonesia
2 years ago

Building security guardrails for developers with Google Cloud

by Kartika Triyanti
2 years ago