Organization guidelines

Ensure only identities from your organization are allowed in your Google Cloud environment. Use the Domain restricted sharing (iam.allowedPolicyMemberDomains) or the iam.managed.allowedPolicyMembers organization policy constraint to define one or more Cloud Identity or Google Workspace customer IDs whose principals can be added to Identity and Access Management (IAM) policies.

These constraints help prevent employees from granting access to external accounts outside of your organization's control that don't follow your security policies for multifactor authentication (MFA) or password management. This control is critical for preventing unauthorized access, ensuring that only trusted, managed corporate identities can be used.

The Resource Location Restriction (gcp.resourceLocations) constraint ensures that only your approved Google Cloud regions are used to store data. The value is specific to your systems and matches your organization's approved list of regions for data residency.

This constraint lets your organization enforce that your resources and data are only created and saved in specific, approved geographic regions.

The gcp.restrictServiceUsage constraint ensures that only your approved Google Cloud services are used in the right places. For example, a production or highly sensitive folder has a small list of Google Cloud services that are approved to store data. A sandbox folder might have a larger list of services and accompanying data security controls to help prevent data exfiltration. The value is specific to your systems and matches your approved list of services and dependencies for specific folders and projects.

This constraint lets your organization create an allowlist of approved services, which helps prevent employees from using unvetted services.