GCP Org Policy Reference

When enforced, this boolean constraint disables serial port access to Compute Engine VMs belonging to the organization, project, or folder where this constraint is active.

When enforced, this boolean constraint enables OS Login on all newly created projects, preventing SSH key-based metadata from being set on Compute Engine instances.

This list constraint defines the set of Shared VPC subnetworks that eligible resources can use. This constraint does not apply to resources in the same project as the host project.

This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses.

When enforced, this boolean constraint disables the creation of service account external keys. Service account keys are a security risk if not managed correctly.

This list constraint defines the set of members that can be added to IAM policies. Only identities in the allowed domains can be added. This is commonly used to prevent sharing resources with external accounts.

When enforced, this boolean constraint requires Cloud Storage buckets to use uniform bucket-level access, disabling object-level ACLs. This simplifies access management and improves security.

When enforced, this boolean constraint restricts configuring public IPs on Cloud SQL instances. Public IP access to databases is a significant security risk and should be avoided in production.

This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. Only images from trusted projects will be allowed.

This list constraint defines the set of external organizations that resources can be exported or shared to. Controls data exfiltration by limiting where project resources can be moved.

This list constraint defines the set of locations where location-based GCP resources can be created. Policies for this constraint can specify multi-regions, regions, or zones as allowed or denied locations.

When enforced, this boolean constraint skips the creation of the default VPC network and related resources during Google Cloud project creation. The default network has overly permissive firewall rules.

When enforced, this boolean constraint disables the creation of service accounts in the organization, project, or folder. Use this to centralize service account management.

When enforced, this boolean constraint requires that all new Compute Engine VM instances use Shielded VM images with Secure Boot, vTPM, and Integrity Monitoring enabled.

This list constraint defines the allowed ingress settings for deploying Cloud Functions. Use this to require internal-only or internal-and-gclb traffic sources.

When enforced, this boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs in the organization, project, or folder.

When enforced, this boolean constraint prevents the creation of new GKE clusters with Workload Identity disabled. All new clusters must use Workload Identity for secure pod-level access to Google Cloud APIs.

When enforced, this boolean constraint restricts adding authorized networks for unproxied database access to Cloud SQL instances. Use Cloud SQL Proxy or Private IP instead.

This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization.

When enforced, this boolean constraint prevents Cloud Storage buckets from being made publicly accessible. This blocks allUsers and allAuthenticatedUsers from being granted access.