Organization Policy Service release notes

The list of Organization Policy Service constraints that are enforced when an organization resource is created has changed. The following Google Cloud security baseline constraints are enforced for all organizations created on or after May 3, 2024:

• constraints/iam.managed.disableServiceAccountKeyCreation
• constraints/iam.managed.disableServiceAccountKeyUpload
• constraints/iam.automaticIamGrantsForDefaultServiceAccounts
• constraints/iam.allowedPolicyMemberDomains
• constraints/essentialcontacts.managed.allowedContactDomains
• constraints/compute.managed.restrictProtocolForwardingCreationForTypes
• constraints/storage.uniformBucketLevelAccess

For more information, see Google Cloud security baseline constraints.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some BigQuery resources. For more information, see Manage BigQuery resources using custom constraints. This feature is generally available (GA).

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Datastream resources. For more information, see Manage Application Integration resources using custom constraints. This feature is generally available (GA).

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Application Integration resources. For more information, see Manage Application Integration resources using custom constraints. This feature is available in Preview.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataform resources. For more information, see Create custom organization policy constraints. This feature is generally available (GA).

Select Workload Identity Federation resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which Workload Identity Federation resources support custom constraints and to view sample use cases, see Use custom organization policies for Workload Identity Federation.

This feature is available in General Availability.

Select Cloud Load Balancing resources let you use custom constraints to define your own restrictions on Google Cloud services. To learn which load balancing resources support custom constraints and to view sample use cases, see Manage Cloud Load Balancing resources using custom constraints.

This feature is available in General Availability.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Live Stream API resources. For more information, see Use custom custom constraints.

Preview: Eight new organization policy constraints are available to help you enforce security best practices for Compute Engine virtual machine (VM) instances.

These managed constraints simplify governance for common security scenarios and integrate with safe rollout tools like dry-run and simulation, letting you test their impact before enforcement.

The new constraints are as follows:

• compute.managed.disableNestedVirtualization
• compute.managed.disableSerialPortAccess
• compute.managed.disableSerialPortLogging
• compute.managed.disallowGlobalDns
• compute.managed.requireOsConfig
• compute.managed.requireOsLogin
• compute.managed.vmCanIpForward
• compute.managed.vmExternalIpAccess

These constraints can evaluate metadata values at the VM instance, project, or zonal level. For more information about these managed constraints, see Managed Constraints in the Resource Manager documentation.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Deploy resources. For more information, see Use custom organization policies.

Certain Organization Policy managed constraints that were released on August 21, 2025 were not functioning as intended. The Organization Policy Service evaluated these constraints as if the effectiveInstanceMetadata field of the resources that they were enforced on was empty, causing them to always evaluate to either allow or deny access to the resource.

The following managed constraints were evaluated to always allow creation of resources where they were enforced:

• constraints/compute.managed.disableGuestAttributesAccess
• constraints/compute.managed.disableSerialPortAccess
• constraints/compute.managed.disableSerialPortLogging

The following managed constraints were evaluated to always block creation of resources where they were enforced:

• constraints/compute.managed.disallowGlobalDns
• constraints/compute.managed.requireOsConfig
• constraints/compute.managed.requireOsLogin

This issue has been corrected, and these constraints now properly evaluate the effectiveInstanceMetadata field to determine whether resource creation should be allowed or blocked.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Backup for GKE resources. For more information, see Manage Backup for GKE resources using custom constraints. This feature is generally available.

You can now use organization policy conditions to match a tag key. This lets you enable or disable enforcement against all resources with that tag key, regardless of what tag value is attached. For more information, see Setting an organization policy with tags.

Organization policies in dry-run mode are reporting inconsistent results for the following managed constraints:

• constraints/compute.managed.restrictProtocolForwardingCreationForTypes
• constraints/iam.managed.allowedPolicyMembers
• constraints/essentialcontacts.managed.allowedContactDomains
• constraints/compute.managed.blockPreviewFeatures

If a resource inherited an organization policy in dry-run mode that uses any of these managed constraints, that dry-run policy was evaluated without using the parameters specified in the live policy. Normally, an organization policy in dry-run mode that's inherited on a resource is overridden by the live organization policy set directly on that same resource. Not evaluating the live organization policy parameters in the inherited organization policy in dry-run mode led to inconsistent results.

Our engineering team is working to resolve this issue.

Custom organization policies are now generally available for the Video Stitcher API. For more information, see Create custom constraints for the Video Stitcher API.

Custom organization policies are now generally available for Service Management. For more information, see Manage Service Management resources with custom constraints.

Custom organization policies are now generally available for Cloud Healthcare API. For more information, see Use custom organization policies.

Custom organization policies are now generally available for Essential Contacts. For more information, see Creating custom constraints for Essential Contacts.

Custom organization policies are now generally available for Cloud Logging. For more information, see Use custom organization policies.

Custom organization policies are now generally available for security posture resources. For more information, see Add a custom organization policy.

Custom organization policies are now generally available for Cloud DNS. For more information, see Create custom organization policy constraints.

Custom organization policies are now generally available for Identity-Aware Proxy. For more information, see Use custom organization policies.

Custom organization policies are now generally available for Spanner. For more information, see Add a custom organization policy.

Custom organization policies are now generally available for Dataproc Serverless. For more information, see Use custom constraints.

Custom organization policies are now generally available for Developer Connect. For more information, see Create custom organization policies.

You can now create custom organization policies for Workflows. For more information, see Create custom organization policy constraints for Workflows.

You can now create custom organization policies for Cloud Monitoring alerting policies, notification channels, and snoozes. For more information, see Use custom organization policies.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Data Fusion resources. For more information, see Create custom organization policy constraints.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some reCAPTCHA resources. For more information, see Use custom organization policies for reCAPTCHA keys and firewall policies.

The Organization Policy recommender generates insights and organization policy recommendations to restrict the creation and upload of service account keys. This feature is available in Preview.

You can use the iam.managed.allowedPolicyMembers managed organization policy constraint to implement domain restricted sharing. For more information, see Domain restricted sharing.

You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Secure Source Manager resources. For more information, see Manage resources with custom constraints.

You can use Organization Policy Service custom constraints to manage specific operations on Bigtable resources. For more information, see Use custom organization policies. This feature is generally available (GA).

Cloud Load Balancing resources now let you use custom constraints to define your own restrictions on Google Cloud services. To learn about which load balancing resources support custom constraints, and some sample use cases, see Manage Cloud Load Balancing resources using custom constraints.

This feature is available in General Availability.

Using IAM attributes in custom organization policies is generally available. For more information, see Use custom organization policies.

You can use the iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts managed organization policy constraint to prevent default service accounts from being granted the Editor (roles/editor) or Owner (roles/owner) roles. For more information, see Prevent the Owner and Editor role from being granted to default service accounts.

You can now manage Firestore resources using Organization Policy Service custom constraints.

Starting on June 16, 2024, if you don't set a value for the iam.serviceAccountKeyExposure organization policy constraint, Google Cloud will default to the behavior described for DISABLE_KEY.

The resource usage restriction Organization Policy constraint has launched into general availability.

You can now use the Cloud Console UI to manage your organization policies with tags. For more information, see Setting an organization policy with tags.