Google Cloud : Smart GCP Organization Policies with Tags

Smart GCP Organization Policies with Tags for GCP Architects & Security Officers

All GCP Architects use Google Cloud Platform Organization Policies to secure the platform, however they might have missed one important feature that makes them even smarter!

We all know that even if they are not supposed to do so, some project teams might forget to follow a company policy: My VM has an external IP, so what ?

That’s where Organizational Policies come as a shield for Security Officers.

Google Cloud Platform Organization Policies

There are more than 80 Organization Policies that can be used by Security Officers to enforce security for GCP features at the organizations, folders, and projects levels.

For example:

• For Compliance reasons, you might need to make sure that your resources are created in specific locations (US, Europe, …), the Resource Location Restriction is for you !
• Release only the validated services / apis to the project teams with the Restrict Resource Service Usage policy.

What if you have set these policies however some project teams require a different behavior for a good reason!

In the past!

It was already possible to change the behavior for a specific context as a folder or a project.
How ? By redeploying the policy and changing the inheritance with a new value / list.
This is great, however, this means you could lose track of the changes around the folders tree.

Back to the future !

Tags might be a better solution to manage the exceptions!
With tags, you deploy once at a high level an Organization Policy and setup conditions directly inside based on Tags!
This way you have directly at the high level a full view of the organization policy behaviors.
And then you can easily set Tags on the folders and projects that need a specific behavior without redeploying the policy.

Let’s take an example !
For security reasons, you want to make sure that the new IAM entries will be from your my_company.cloud domain only, this can be achieved with the Domain restricted sharing Organization Policy. However, you need to allow a partner domain my_partner.cloud for a specific folder.

Steps

Permissions

The following permissions allow to run the steps: Organization Policy Administrator, Tag Administrator, Tag User

Create a tag & value

1. Open the Tags page in the Google Cloud console.
2. Select the Project picker at the top of the page.
3. From the Organization picker, select your organization.
4. Click Create.
5. In the Tag key box, enter allow-my-partner.
6. In the Tag description box, enter a description.
7. Click Add value.
8. In the Tag Value 1 box, enter partner1
9. In the Tag value box, enter the display name of your tag value. This becomes part of the namespaced name of your tag.
10. Click Create Tag Key.

Create the Organization Policy with rules & conditions

1. Open the Organization Policies page
2. Select the Project picker at the top of the page.
3. From the Organization picker, select your organization.
4. Use the filter to open the Domain Restricted Sharing policy
5. Click Edit
6. Click Customize
7. Click Replace
8. Click Add Rule
9. Select Custom
10. In the Policy Type list, select Allow
11. In the Custom Values section, enter the Customer Id of your domain
    Tip: To get your customer id, use the gcloud organizations list command
12. Click Add Condition
13. In the Title box, enter Default
14. Click on Condition Editor
15. Enter the expression: !resource.matchTag(“xyz/allow-partner”, “partner1”) and replace xyz with your organization id
    Important: do not forget the “!” char which means that the Tag must be absent to get the default behavior
16. Click on Save
17. Click on Done
18. Click on Add Another Rule
19. Select Custom
20. In the Policy Type list, select Allow
21. In the Custom Values section,
22. Add the Customer Id of your domain
23. Add the Customer Id of your partner domain
24. Click Add Condition
25. In the Title box, enter Allow Partner 1
26. Click on Condition Editor
27. Enter the expression: resource.matchTag(“xyz/allow-partner”, “partner1”) and replace xyz with your organization id
28. Click on Save
29. Click on Done
30. Click on Save

Attach the tag to the folder

1. Open the Resource Manager page
2. Select the Folder 2 folder
3. Click on Tags
4. Click on Add Tag
5. Select the allow-partner tag and value

Confirm the configuration

1. go back to the Organization Policies page
2. Select the Project picker at the top of the page.
3. From the Organization picker, select your organization.
4. Use the filter to open the Domain Restricted Sharing policy
5. Confirm that your customer id only is listed in the Effective policy section
6. Select the Project picker at the top of the page and select the Folder 2 folder
7. Confirm that the two customer ids arelisted in the Effective policy section

Links

• Creating and managing tags: https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing
• Creating and managing organization policies: https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies
• Tags page: https://console.cloud.google.com/iam-admin/tags
• Organization Policies page: https://console.cloud.google.com/iam-admin/orgpolicies
• Resource Manager page: https://console.cloud.google.com/cloud-resource-manager