CoursesGCP securityWorkload identity & IR

Org policy & landing zones

Preventive constraints and secure-by-default projects.

Advanced30 min · lesson 14 of 15

Everything in this course is more durable as a default than as a thing each team remembers to do. Organization policy plus an automated landing zone apply the non-negotiables to every new project, so it arrives already fenced rather than after a hardening sprint.

Preventive constraints beat detective findings

A Security Command Center finding tells you a bucket went public after the fact; an organization policy constraint stops it from ever being made public. For the non-negotiables — no service-account keys, no external IPs on VMs, no public IPs on Cloud SQL, domain-restricted sharing, required OS Login — encode them as org policy constraints inherited down the hierarchy, where even a project Owner cannot cross them. Prevention closes the window that detection can only report on.

a baseline of preventive constraints
# Applied at the org (or a folder), inherited by every project below.
gcloud resource-manager org-policies enable-enforce constraints/iam.disableServiceAccountKeyCreation --organization=ORG_ID
gcloud resource-manager org-policies enable-enforce constraints/compute.vmExternalIpAccess --organization=ORG_ID
gcloud resource-manager org-policies enable-enforce constraints/sql.restrictPublicIp --organization=ORG_ID
gcloud resource-manager org-policies set-policy domain-restricted-sharing.yaml # allowedPolicyMemberDomains

Secure-by-default projects

A project factory — Terraform modules, the Project Factory, or Cloud Foundation Toolkit — provisions each new project with the baseline already in place: the aggregated log sink wired to the logging project, org-policy constraints inherited, VPC attachment via Shared VPC, SCC enabled, and least-privilege service accounts instead of the over-privileged defaults. Teams request a project and receive a secure one, with no window in which it sits unprotected and no checklist to forget. For sovereignty regimes, Assured Workloads pins region, personnel, and key requirements automatically.

Project vending applies the baseline
1project request
a team needs a project
2project factory (Terraform/CFT)
automated vending
3baseline applied
log sink, org policies, Shared VPC, SCC
4secure on day zero
no unprotected window
Guardrails as code make the secure path the default path — the strongest security is the one nobody has to remember.
Manual project setup always drifts
Hand-configuring each new project guarantees inconsistency and a window where the project exists without its guardrails. Automate the baseline through a project factory so every project — including the one spun up in a hurry — arrives fully fenced with logging, policies, and least-privilege identity.