Google Cloud security baseline constraints
If you are a new customer, Google Cloud automatically provisions anorganization resource for your domain in the following scenarios:
- A user from your domain logs in for the first time.
- A user creates a billing account that does not have an associated organizationresource.
This organization resource's default configuration, characterized by unrestrictedaccess, can make the infrastructure susceptible to security breaches. Forexample, default service account key creation is a critical vulnerabilityexposing systems to potential breaches.
Google Cloud security baseline addresses insecure security postures with a bundle of organizationpolicies that are enforced when an organization resource is created. For moreinformation, seegetting an organization resource.Examples of these organization policies include disablingservice account key creation and disabling service account key upload.
When an existing user creates an organization, the security posture for thenew organization resource might be different from the existing organizationresources. Google Cloud security baseline constraints are enforced for all organizationscreated on or after May 3, 2024. Some organizations created between February2024 and April 2024 might also have these default policy enforcements set. Toview organization policies applied to your organization, seeViewing organization policies.
Before you begin
For more information about what organization policies and constraints are andhow they work, see theintroduction to the Organization Policy Service.
Required roles
To get the permissions that you need to manage organization policies, ask your administrator to grant you theOrganization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.
This predefined role contains the permissions required to manage organization policies. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to manage organization policies:
orgpolicy.constraints.listorgpolicy.policies.createorgpolicy.policies.deleteorgpolicy.policies.listorgpolicy.policies.updateorgpolicy.policy.getorgpolicy.policy.set
You might also be able to get these permissions withcustom roles or otherpredefined roles.
You can delegate the administration of organization policies by addingIAM Conditions to the Organizationpolicy administrator role binding. To control the resources where a principal can manageorganization policies, you can make the role binding conditional on a particulartag. For more information, seeUsing constraints.
Organization policies enforced on organization resources
The following table lists the organization policy constraints that areautomatically enforced when you create an organization resource.
| Organization policy name | Organization policy constraint | Description | Impact of enforcement |
|---|---|---|---|
| Disable service account key creation | constraints/iam.managed.disableServiceAccountKeyCreation | Prevent users from creating persistent keys for service accounts. For information about managing service account keys, seeProvide alternatives to creating service account keys. | Reduces the risk of exposed service account credentials. |
| Disable service account key upload | constraints/iam.managed.disableServiceAccountKeyUpload | Prevent the upload of external public keys to service accounts. For information about accessing resources without service account keys, see thesebest practices. | Reduces the risk of exposed service account credentials. |
| Prevent the Editor role from being granted to default service accounts | constraints/iam.automaticIamGrantsForDefaultServiceAccounts | Prevent default service accounts from receiving the overly permissive IAM Editor role at creation. | The Editor role lets the service account create and delete resources for most Google Cloud services, which creates a vulnerability if the service account gets compromised. |
| Restrict identities by domain | constraints/iam.allowedPolicyMemberDomains | Limit resource sharing to identities that belong to a particular organization resource or Google Workspace customer ID. | Leaving the organization resource open to access by actors with domains other than the customer's own creates a vulnerability. |
| Restrict contacts by domain | constraints/essentialcontacts.managed.allowedContactDomains | Limit Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. | A bad actor with a different domain might get added as Essential Contacts, leading to a compromised security posture. |
| Restrict protocol forwarding based on type of IP address | constraints/compute.managed.restrictProtocolForwardingCreationForTypes | Restrict the configuration of protocol forwarding for internal IP addresses only. | Protects target instances from exposure to external traffic. |
| Uniform bucket-level access | constraints/storage.uniformBucketLevelAccess | Prevent Cloud Storage buckets from using per-object ACL (a separate system from allow and deny policies) to provide access. | Enforces consistency for access management and auditing. |
constraints/compute.restrictProtocolForwardingCreationForTypes organization policy constraint might already be applied.Manage enforcement of organization policies
You can manage the enforcement of organization policies in the following ways:
List organization policies
To check whether the Google Cloud security baseline constraints are enforced on yourorganization, use the following command:
gcloudresource-managerorg-policieslist--organization=ORGANIZATION_IDReplaceORGANIZATION_ID with the unique identifier ofyour organization.
Disable organization policies
To disable or delete an organization policy, run the following command:
gcloudorg-policiesdeleteCONSTRAINT_NAME--organization=ORGANIZATION_IDReplace the following:
CONSTRAINT_NAME: the name of the organization policyconstraint that you want to delete—for example,iam.allowedPolicyMemberDomainsORGANIZATION_ID: the unique identifier of yourorganization
What's next
For more information about creating and managing organization policies, seeUsing constraints.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.