diff --git a/policies/org_policy.json b/policies/org_policy.json index 5ca5920..73d5f1b 100644 --- a/policies/org_policy.json +++ b/policies/org_policy.json @@ -30,8 +30,8 @@ }, { "name": "constraints/ainotebooks.environmentOptions", - "displayName": "Restrict environment options on new Vertex AI Workbench notebooks and instances", - "description": "This list constraint defines the VM and container image options a user can select when creating new Vertex AI Workbench notebooks and instances where this constraint is enforced. The options to be allowed or denied must be listed explicitly.The expected format for VM instances is ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name. Examples: ainotebooks-vm/deeplearning-platform-release/image-family/pytorch-1-4-cpu, ainotebooks-vm/deeplearning-platform-release/image-name/pytorch-latest-cpu-20200615.The expected format for container images will be ainotebooks-container/CONTAINER_REPOSITORY:TAG. Examples: ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:latest, ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:m48.", + "displayName": "Restrict environment options on new Vertex AI Workbench user-managed notebooks", + "description": "This list constraint defines the VM and container image options a user can select when creating new Vertex AI Workbench user-managed notebooks. The options to be allowed or denied must be listed explicitly.The expected format for VM instances is ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name. Examples: ainotebooks-vm/deeplearning-platform-release/image-family/pytorch-1-4-cpu, ainotebooks-vm/deeplearning-platform-release/image-name/pytorch-latest-cpu-20200615.The expected format for container images will be ainotebooks-container/CONTAINER_REPOSITORY:TAG. Examples: ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:latest, ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:m48.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -109,6 +109,20 @@ "constraintDefault": "DENY", "booleanConstraint": {} }, + { + "name": "constraints/cloudbuild.useBuildServiceAccount", + "displayName": "Use default service account (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the legacy Cloud Build service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, + { + "name": "constraints/cloudbuild.useComputeServiceAccount", + "displayName": "Use Compute Engine Service Account by Default (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the Compute Engine service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, { "name": "constraints/clouddeploy.disableServiceLabelGeneration", "displayName": "Disable Cloud Deploy service labels", @@ -228,6 +242,13 @@ "constraintDefault": "ALLOW", "booleanConstraint": {} }, + { + "name": "constraints/compute.requireOsConfig", + "displayName": "Require OS Config", + "description": "This boolean constraint, when enforced, enables VM Manager (OS Config) on all new projects. All VM instances created in new projects will have VM Manager enabled. On new and existing projects, this constraint prevents metadata updates that disable VM Manager at the project or instance level. By default, VM Manager is disabled on Compute Engine projects.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, { "name": "constraints/compute.requireShieldedVm", "displayName": "Shielded VMs", @@ -296,14 +317,14 @@ { "name": "constraints/gcp.resourceLocations", "displayName": "Google Cloud Platform - Resource Location Restriction", - "description": "This list constraint defines the set of locations where location-based Google Cloud resources can be created. By default, resources can be created in any location. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1 as allowed or denied locations. Allowing or denying a multi-region does not imply that all included sub-locations should also be allowed or denied. For example, if the policy denies the us multi-region (which refers to multi-region resources, like some storage services), resources can still be created in the regional location us-east1. On the other hand, the in:us-locations group contains all locations within the us region, and can be used to block every region. We recommend using value groups to define your policy. You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group. For example, to create resources that will only be physically located within the US, set in:us-locations in the list of allowed values.If the suggested_value field is used in a location policy, it should be a region. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. ", + "description": "This list constraint defines the set of locations where location-based Google Cloud resources can be created. Important: The information on this page does not describe Google Cloud Platform's data location commitments for Customer Data (as defined in the agreement under which Google has agreed to provide Google Cloud Platform services and as described in the Google Cloud Platform Services Summary at https://cloud.google.com/terms/services) to its customers. For the list of Google Cloud Platform services for which Customer Data location may be selected by customers, see Google Cloud Platform Services with Data Residency at https://cloud.google.com/terms/data-residency. By default, resources can be created in any location. For a full list of supported services, see https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations-supported-services. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1 as allowed or denied locations. Allowing or denying a multi-region does not imply that all included sub-locations should also be allowed or denied. For example, if the policy denies the us multi-region (which refers to multi-region resources, like some storage services), resources can still be created in the regional location us-east1. On the other hand, the in:us-locations group contains all locations within the us region, and can be used to block every region. We recommend using value groups to define your policy. You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group. For example, to create resources that will only be physically located within the US, set in:us-locations in the list of allowed values. If the suggested_value field is used in a location policy, it should be a region. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. ", "constraintDefault": "ALLOW", "listConstraint": {} }, { "name": "constraints/gcp.restrictCmekCryptoKeyProjects", "displayName": "Restrict which projects may supply KMS CryptoKeys for CMEK", - "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, alloydb.googleapis.com, apigee.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, discoveryengine.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, speech.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, workstations.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -312,7 +333,7 @@ { "name": "constraints/gcp.restrictNonCmekServices", "displayName": "Restrict which services may create resources without CMEK", - "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, alloydb.googleapis.com, apigee.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, discoveryengine.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, speech.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com, workstations.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -476,6 +497,13 @@ "constraintDefault": "ALLOW", "listConstraint": {} }, + { + "name": "constraints/storage.softDeletePolicySeconds", + "displayName": "Cloud Storage - soft delete policy retention duration in seconds", + "description": "This constraint defines the allowable retention durations for soft delete policies set on Cloud Storage buckets where this constraint is enforced. Any insert, update, or patch operation on a bucket where this constraint is enforced must have a soft delete policy duration that matches the constraint. When a new organization policy is enforced, the soft delete policy of existing buckets remains unchanged and valid. By default, if no organization policy is specified, a Cloud Storage bucket can have a soft delete policy of any duration.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, { "name": "constraints/storage.restrictAuthTypes", "displayName": "Cloud Storage - restrict authentication types", @@ -502,7 +530,7 @@ { "name": "constraints/compute.restrictVpcPeering", "displayName": "Restrict VPC peering usage", - "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", + "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. Each peering end is required to have peering permission. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -620,7 +648,7 @@ { "name": "constraints/gcp.restrictTLSVersion", "displayName": "Restrict TLS Versions", - "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrpyted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", + "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrypted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -701,7 +729,7 @@ { "name": "constraints/storage.publicAccessPrevention", "displayName": "Enforce Public Access Prevention", - "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled.", + "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled. For more details on the effects of changing enforcement of this constraint on resources, please see: https://cloud.google.com/storage/docs/public-access-prevention.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -722,7 +750,7 @@ { "name": "constraints/compute.disableHybridCloudIpv6", "displayName": "Disable Hybrid Cloud IPv6 usage", - "description": "This boolean constraint, when set to True, disables the creation of or update to hybrid cloud resources including Cloud Router, Interconnect Attachments, and Cloud VPN with a stack_type of IPV4_IPV6. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in any projects, folders and organizations.", + "description": "This boolean constraint, when enforced, disables the creation of, or updates to, hybrid cloud resources including Interconnect Attachments and Cloud VPN gateways with a stack_type of IPV4_IPV6 or IPV6_ONLY, or a gatewayIpVersion of IPv6. If enforced on a Cloud Router resource, the ability to create IPv6 Border Gateway Protocol (BGP) sessions and the ability to enable IPv6 route exchange over IPv4 BGP sessions are disabled. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in projects, folders, and organizations.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -819,8 +847,8 @@ }, { "name": "constraints/compute.disableSshInBrowser", - "displayName": "Disable SSH in browser", - "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", + "displayName": "Disable SSH-in-browser", + "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console for VMs that use OS Login and App Engine flexible environment VMs. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -834,14 +862,14 @@ { "name": "constraints/commerceorggovernance.marketplaceServices", "displayName": "Restrict access on marketplace services", - "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If PRIVATE_MARKETPLACE is in the allowed value list, the private marketplace is enabled. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the private marketplace is disabled and the IaaS procurement governance experience is disabled. Also, the IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on the marketplace.", + "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the IaaS procurement governance experience is turned off. The IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on Cloud Marketplace.Note: The PRIVATE_MARKETPLACE value is no longer supported and using it has no effect. To turn on Google Private Marketplace, you must follow the instructions at https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace.", "constraintDefault": "DENY", "listConstraint": {} }, { "name": "constraints/commerceorggovernance.disablePublicMarketplace", - "displayName": "Disable Public Marketplace", - "description": "This boolean constraint, when enforced, disables public marketplace for all users under the org. By default, public marketplace access is enabled for the org.", + "displayName": "Disable public marketplace", + "description": "This boolean constraint, when enforced, turns off {{marketplace_name}} for all users under the organization. By default, public marketplace access is turned on for the organization. This policy only works when the Private Marketplace is enabled (https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace).Important: For the most optimal experience, we strongly recommend that you use the marketplace user access restrictions feature, as described in https://cloud.google.com/marketplace/docs/governance/strict-user-access to prevent unauthorized use of the marketplace in your organization, instead of doing so via this organization policy.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -876,9 +904,42 @@ { "name": "constraints/iam.serviceAccountKeyExposureResponse", "displayName": "Service account key exposure response", - "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. By default, there is no response. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ", + "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. If not set, defaults to the behavior described for DISABLE_KEY. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ", "constraintDefault": "DENY", "listConstraint": {} + }, + { + "name": "constraints/compute.requireBasicQuotaInResponse", + "displayName": "Disable fail-open behavior for list methods that display quota information for a region", + "description": "This boolean constraint, when enforced, disables the fail-open behavior on server-side failures for regions.list, regions.get, and projects.get methods. That means that if the quota information is unavailable, these methods fail when the constraint is enforced. By default, these methods succeed on server-side failures and display a warning message when the quota information is unavailable.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, + { + "name": "constraints/vertexai.allowedGenAIModels", + "displayName": "Define access to Google proprietary generative AI models on Vertex AI", + "description": "This list constraint defines the set of generative AI models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format model_id:feature_family. For example, publishers/google/models/text-bison:predict. This list constraint only restricts access to Google proprietary generative AI models, and does not effect third-party proprietary models or open source models. The constraint vertexai.allowedModels can be used to define access to a broader set of models including Google proprietary models, third-party proprietary models, and open source models. By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, + { + "name": "constraints/vertexai.allowedModels", + "displayName": "Define access to models on Vertex AI", + "description": "This list constraint defines the set of models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format \"model_id:feature_family\", for example \"publishers/google/models/gemini-1.0-pro:predict\". By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, + { + "name": "constraints/iam.managed.disableServiceAccountKeyCreation", + "displayName": "Disable service account key creation", + "description": "This constraint, when enforced, blocks service account key creation.", + "constraintDefault": "ALLOW" + }, + { + "name": "constraints/iam.managed.disableServiceAccountKeyUpload", + "displayName": "Disable Service Account Key Upload", + "description": "This boolean constraint disables the feature that allows uploading public keys to service accounts where this constraint is set to `True`. By default, users can upload public keys to service accounts based on their Cloud IAM roles and permissions.", + "constraintDefault": "ALLOW" } ] } \ No newline at end of file