Resource Manager controls for generative AI use cases

This document includes the best practices and guidelines for Resource Manager when running generative AI workloads on Google Cloud. Use Resource Manager with Vertex AI to help group and manage logical components of your Vertex AI workloads.

Consider the following use cases for Resource Manager with Vertex AI:

  • To help ensure resource and data isolation and fine-grained access controls, create separate projects for different teams or departments.
  • Apply protective security policies to AI workloads.
  • Define quotas for GPU usage in training jobs to prevent cost overruns.
  • Automate the creation of required Cloud Storage buckets and Compute Engine instances for new projects.
  • Track and analyze resource usage patterns for specific projects to optimize resource allocation.
  • Generate audit reports to demonstrate compliance with data governance and security policies.

Required Resource Manager controls

The following controls are strongly recommended when using Resource Manager.

Restrict resource service usage

Google control ID RM-CO-4.1
Category Required
Description

The gcp.restrictServiceUsage constraint ensures that only your approved Google Cloud services are used in the right places. For example, a production or highly sensitive folder has a small list of Google Cloud services that are approved to store data. A sandbox folder might have a larger list of services and accompanying data security controls to help prevent data exfiltration. The value is specific to your systems and matches your approved list of services and dependencies for specific folders and projects.

This constraint lets your organization create an allowlist of approved services, which helps prevent employees from using unvetted services.
Applicable products
  • Organization Policy Service
  • Resource Manager
Path constraints/gcp.restrictServiceUsage
Operator Is
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

Restrict resource locations

Google control ID RM-CO-4.2
Category Required
Description

The Resource Location Restriction (gcp.resourceLocations) constraint ensures that only your approved Google Cloud regions are used to store data. The value is specific to your systems and matches your organization's approved list of regions for data residency.

This constraint lets your organization enforce that your resources and data are only created and saved in specific, approved geographic regions.
Applicable products
  • Organization Policy Service
  • Resource Manager
Path constraints/gcp.resourceLocations
Operator Is
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

What's next