This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

The Organization Policy Service gives customers centralized and programmatic control to setrestrictions on their organization's resources. Each type of restriction isdefined as a constraint, and is conceptually similar to a blueprint that defineswhat behaviors are controlled. Creating and maintaining organization policiescan be complicated, as the requirements for security and compliance change overtime.

Organization Policy recommender helps you secure your Google Cloud resourceswithout disrupting customer systems. It analyzes existing organization policyconfigurations and generates recommendations for which organization policies toenforce.

Overview of organization policy recommendations

Organization policy recommendations are generated by theOrganization Policy recommender. The Organization Policy recommender is one of therecommenders thatRecommender offers.

Each organization policy recommendation suggests that you set a particularorganization policy to improve the security of your Google Cloud resources. Anorganization policy is built from aconstraint, which is aconfiguration of restrictions on a Google Cloud service.

The Organization Policy recommender usesorganization policy insights to identifyorganization policies that aren't set. Organization policy insights arefindings regarding the enforcement status of an organization policy constrainton your resources, and whether your resources are inviolation of that organization policy.

A resource is considered in violation of an organization policy if it's in astate that is restricted by that organization policy. For example, theiam.managed.disableServiceAccountKeyCreation constraint lets you restrict thecreation of service account keys. If a service account key has been created in aproject, the Organization Policy Service considers that project to be in violation of thatorganization policy.

How insights and recommendations are generated

Arecommendation is a suggestion for optimizing your usage ofGoogle Cloud resources. It includes the steps required to take action onthe recommendation, and is created using logs and analysis of your resourceconfigurations to address vulnerabilities identified by the insight.

Insights are findings that you can use to proactivelyfocus on important patterns in resource usage, and contain the context neededto create a recommendation.

Organization Policy recommender generates recommendations at the highest possiblelevel in theresource hierarchy. For example, if there areno violations of a supported constraint in any projects under a folder,Organization Policy recommender generates the recommendation for that folder,instead of providing recommendations for the projects.

Supported constraints

Each recommendation is specific to a particular organization policy constraint.

Service account key creation

By default, users with the appropriate permissions cancreate service account keys. However, serviceaccount keys are a security risk if not managed correctly. Using theiam.managed.disableServiceAccountKeyCreation organization policy constraint,you can disable the creation of new external service account keys for allservice accounts under a project, folder, or organization.

Organization Policy recommender checks the existence of Identity and Access Management (IAM)user-managed service accounts and external keys of these service accounts toevaluate whether they violate the restrictions on service account keycreation.

If there are no created service account keys, Organization Policy recommendergenerates a recommendation to enforce theiam.managed.disableServiceAccountKeyCreation constraint and supportingdetails of the recommendation in the corresponding insights.

Insights related to theiam.managed.disableServiceAccountKeyCreationconstraint have the subtypeADD_POLICY_DISABLE_SERVICE_ACCOUNT_KEY_CREATION.

Service account key upload

Users canupload the public key portion of auser-managed key pair to associate it with a service account. After they uploadthe public key, they can use the private key from the key pair as a serviceaccount key. Using theiam.managed.disableServiceAccountKeyUpload organizationpolicy constraint, you can disable the upload of external public keys to serviceaccounts under a project, folder, or organization.

If there are no uploaded service account keys, Organization Policy recommendergenerates a recommendation to enforce theiam.managed.disableServiceAccountKeyUpload constraint and supporting detailsof the recommendation in the corresponding insights.

Insights for theiam.managed.disableServiceAccountKeyUpload have thesubtypeADD_POLICY_DISABLE_SERVICE_ACCOUNT_KEY_UPLOAD.

Protocol forwarding rules

Protocol forwarding uses a regional forwarding rule todeliver packets of a specific protocol to a single virtual machine (VM)instance. The forwarding rule can have an internal or an external IP address.

Using thecompute.managed.restrictProtocolForwardingCreationForTypesorganization policy constraint, you can restrict the type of protocol forwardingrule objects that a user can create.

If there are no external protocol forwarding rules defined,Organization Policy recommender generates a recommendation to enforce thecompute.managed.restrictProtocolForwardingCreationForTypes constraint andsupporting details of the recommendation in the corresponding insights.

Insights for thecompute.managed.restrictProtocolForwardingCreationForTypeshave the subtypeADD_POLICY_RESTRICT_PROTOCOL_FORWARDING_CREATION_FOR_TYPES.

Priority and severity

Recommendation priority and insight severity help you understand the urgencyof a recommendation or insight and prioritize accordingly.

Organization policy recommendation priority

A recommendation is assigned a priority level based its perceived urgency.Priority levels range fromP1 (highest priority) toP4 (lowest priority).

All organization policy recommendations have a priority ofP1.

Organization policy recommendation severity

Insights are assigned severity levels based their perceived urgency. Severitylevels can beLOW,MEDIUM,HIGH, orCRITICAL.

All organization policy insights have a severity ofHIGH.

How recommendations are applied

The Organization Policy recommender does not apply recommendations automatically.Instead, you must review your recommendations and decide whether to apply ordismiss them. To learn how to review, apply, and dismiss role recommendations,seeReview and apply organization policy recommendations.

Audit logging

When you apply or dismiss a recommendation, the Organization Policy recommendercreates a log entry. You canview them in your Google Cloud audit logs.

Pricing

Organization policy recommendations formanaged constraints are available at no charge.

For more information, seeBilling questions.

What's next

• Review and apply organization policy recommendations.

• Learn more aboutRecommender.

• Learn more aboutmanaged constraints inorganization policy.