diff --git a/policies/org_policy.json b/policies/org_policy.json index 5ca5920..0dd43a7 100644 --- a/policies/org_policy.json +++ b/policies/org_policy.json @@ -109,6 +109,20 @@ "constraintDefault": "DENY", "booleanConstraint": {} }, + { + "name": "constraints/cloudbuild.useBuildServiceAccount", + "displayName": "Use default service account (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the legacy Cloud Build service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, + { + "name": "constraints/cloudbuild.useComputeServiceAccount", + "displayName": "Use Compute Engine Service Account by Default (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the Compute Engine service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, { "name": "constraints/clouddeploy.disableServiceLabelGeneration", "displayName": "Disable Cloud Deploy service labels", @@ -228,6 +242,13 @@ "constraintDefault": "ALLOW", "booleanConstraint": {} }, + { + "name": "constraints/compute.requireOsConfig", + "displayName": "Require OS Config", + "description": "This boolean constraint, when enforced, enables VM Manager (OS Config) on all new projects. All VM instances created in new projects will have VM Manager enabled. On new and existing projects, this constraint prevents metadata updates that disable VM Manager at the project or instance level. By default, VM Manager is disabled on Compute Engine projects.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, { "name": "constraints/compute.requireShieldedVm", "displayName": "Shielded VMs", @@ -303,7 +324,7 @@ { "name": "constraints/gcp.restrictCmekCryptoKeyProjects", "displayName": "Restrict which projects may supply KMS CryptoKeys for CMEK", - "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, workstations.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -312,7 +333,7 @@ { "name": "constraints/gcp.restrictNonCmekServices", "displayName": "Restrict which services may create resources without CMEK", - "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com, workstations.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -476,6 +497,13 @@ "constraintDefault": "ALLOW", "listConstraint": {} }, + { + "name": "constraints/storage.softDeletePolicySeconds", + "displayName": "Cloud Storage - soft delete policy retention duration in seconds", + "description": "This constraint defines the allowable retention durations for soft delete policies set on Cloud Storage buckets where this constraint is enforced. Any insert, update, or patch operation on a bucket where this constraint is enforced must have a soft delete policy duration that matches the constraint. When a new organization policy is enforced, the soft delete policy of existing buckets remains unchanged and valid. By default, if no organization policy is specified, a Cloud Storage bucket can have a soft delete policy of any duration.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, { "name": "constraints/storage.restrictAuthTypes", "displayName": "Cloud Storage - restrict authentication types", @@ -502,7 +530,7 @@ { "name": "constraints/compute.restrictVpcPeering", "displayName": "Restrict VPC peering usage", - "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", + "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. Each peering end is required to have peering permission. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -620,7 +648,7 @@ { "name": "constraints/gcp.restrictTLSVersion", "displayName": "Restrict TLS Versions", - "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrpyted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", + "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrypted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -701,7 +729,7 @@ { "name": "constraints/storage.publicAccessPrevention", "displayName": "Enforce Public Access Prevention", - "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled.", + "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled. For more details on the effects of changing enforcement of this constraint on resources, please see: https://cloud.google.com/storage/docs/public-access-prevention.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -722,7 +750,7 @@ { "name": "constraints/compute.disableHybridCloudIpv6", "displayName": "Disable Hybrid Cloud IPv6 usage", - "description": "This boolean constraint, when set to True, disables the creation of or update to hybrid cloud resources including Cloud Router, Interconnect Attachments, and Cloud VPN with a stack_type of IPV4_IPV6. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in any projects, folders and organizations.", + "description": "This boolean constraint, when enforced, disables the creation of, or updates to, hybrid cloud resources including Interconnect Attachments and Cloud VPN gateways with a stack_type of IPV4_IPV6 or IPV6_ONLY, or a gatewayIpVersion of IPv6. If enforced on a Cloud Router resource, the ability to create IPv6 Border Gateway Protocol (BGP) sessions and the ability to enable IPv6 route exchange over IPv4 BGP sessions are disabled. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in projects, folders, and organizations.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -819,8 +847,8 @@ }, { "name": "constraints/compute.disableSshInBrowser", - "displayName": "Disable SSH in browser", - "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", + "displayName": "Disable SSH-in-browser", + "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console for VMs that use OS Login and App Engine flexible environment VMs. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -834,14 +862,14 @@ { "name": "constraints/commerceorggovernance.marketplaceServices", "displayName": "Restrict access on marketplace services", - "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If PRIVATE_MARKETPLACE is in the allowed value list, the private marketplace is enabled. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the private marketplace is disabled and the IaaS procurement governance experience is disabled. Also, the IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on the marketplace.", + "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the IaaS procurement governance experience is turned off. The IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on Cloud Marketplace.Note: The PRIVATE_MARKETPLACE value is no longer supported and using it has no effect. To turn on Google Private Marketplace, you must follow the instructions at https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace.", "constraintDefault": "DENY", "listConstraint": {} }, { "name": "constraints/commerceorggovernance.disablePublicMarketplace", - "displayName": "Disable Public Marketplace", - "description": "This boolean constraint, when enforced, disables public marketplace for all users under the org. By default, public marketplace access is enabled for the org.", + "displayName": "Disable public marketplace", + "description": "This boolean constraint, when enforced, turns off {{marketplace_name}} for all users under the organization. By default, public marketplace access is turned on for the organization. This policy only works when the Private Marketplace is enabled (https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace).Important: For the most optimal experience, we strongly recommend that you use the marketplace user access restrictions feature, as described in https://cloud.google.com/marketplace/docs/governance/strict-user-access to prevent unauthorized use of the marketplace in your organization, instead of doing so via this organization policy.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -879,6 +907,27 @@ "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. By default, there is no response. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ", "constraintDefault": "DENY", "listConstraint": {} + }, + { + "name": "constraints/compute.requireBasicQuotaInResponse", + "displayName": "Disable fail-open behavior for list methods that display quota information for a region", + "description": "This boolean constraint, when enforced, disables the fail-open behavior on server-side failures for regions.list, regions.get, and projects.get methods. That means that if the quota information is unavailable, these methods fail when the constraint is enforced. By default, these methods succeed on server-side failures and display a warning message when the quota information is unavailable.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, + { + "name": "constraints/vertexai.allowedGenAIModels", + "displayName": "Define access to Google proprietary generative AI models on Vertex AI", + "description": "This list constraint defines the set of generative AI models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format \"{model_id}:{feature_family}\", for example \"publishers/google/models/text-bison:predict\". This list constraint is only enforced for Google proprietary gen AI models and does not take effect for third-party proprietary models or OSS models. The constraint \"vertexai.allowedModels\" can be used for define access to a broader set of models including Google proprietary models, third-party proprietary models and OSS models.By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, + { + "name": "constraints/vertexai.allowedModels", + "displayName": "Define access to models on Vertex AI", + "description": "This list constraint defines the set of models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format \"{model_id}:{feature_family}\", for example \"publishers/google/models/gemini-1.0-pro:predict\". By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} } ] } \ No newline at end of file