CG
SkillsImplementing GCP Organization Policy Constraints
Start Free
Back to Skills Library
Cloud Security🟡 Intermediate

Implementing GCP Organization Policy Constraints

Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.

3 min read19 code examples

Prerequisites

  • GCP Organization with Organization Administrator role
  • `gcloud` CLI configured and authenticated
  • Terraform or gcloud for policy management
  • Organization Policy Administrator IAM role (`roles/orgpolicy.policyAdmin`)

Implementing GCP Organization Policy Constraints

Overview

The GCP Organization Policy Service provides centralized and programmatic control over cloud resources. Organization policies configure constraints that restrict one or more Google Cloud services, enforced at organization, folder, or project levels. They improve security by blocking external IPs, requiring encryption, and minimizing unauthorized access. Changes can take up to 15 minutes to propagate.

Prerequisites

  • GCP Organization with Organization Administrator role
  • gcloud CLI configured and authenticated
  • Terraform or gcloud for policy management
  • Organization Policy Administrator IAM role (roles/orgpolicy.policyAdmin)

Core Concepts

Constraint Types

  1. List Constraints: Allow or deny specific values (e.g., allowed regions)
  2. Boolean Constraints: Enable or disable a capability (e.g., disable serial port access)
  3. Custom Constraints: User-defined rules targeting specific resource fields (Preview)

Policy Inheritance

Policies inherit from the lowest ancestor with an enforced policy. If no ancestor has a policy, Google's managed default behavior applies.

Essential Security Constraints

Restrict VM External IP Addresses

# Deny external IP addresses on all VMs
gcloud resource-manager org-policies set-policy \
  --organization=ORGANIZATION_ID \
  policy.yaml

policy.yaml:

constraint: constraints/compute.vmExternalIpAccess
listPolicy:
  allValues: DENY

Restrict Resource Locations

gcloud org-policies set-policy \
  --organization=ORGANIZATION_ID \
  location-policy.yaml

location-policy.yaml:

constraint: constraints/gcp.resourceLocations
listPolicy:
  allowedValues:
    - "in:us-locations"
    - "in:eu-locations"

Disable Default Service Account Creation

constraint: constraints/iam.automaticIamGrantsForDefaultServiceAccounts
booleanPolicy:
  enforced: true

Require OS Login for SSH

constraint: constraints/compute.requireOsLogin
booleanPolicy:
  enforced: true

Disable Serial Port Access

constraint: constraints/compute.disableSerialPortAccess
booleanPolicy:
  enforced: true

Enforce Uniform Bucket-Level Access

constraint: constraints/storage.uniformBucketLevelAccess
booleanPolicy:
  enforced: true

Restrict Public IP on Cloud SQL

constraint: constraints/sql.restrictPublicIp
booleanPolicy:
  enforced: true

Disable Service Account Key Creation

constraint: constraints/iam.disableServiceAccountKeyCreation
booleanPolicy:
  enforced: true

Terraform Implementation

resource "google_organization_policy" "restrict_vm_external_ip" {
  org_id     = var.org_id
  constraint = "constraints/compute.vmExternalIpAccess"

  list_policy {
    deny {
      all = true
    }
  }
}

resource "google_organization_policy" "restrict_locations" {
  org_id     = var.org_id
  constraint = "constraints/gcp.resourceLocations"

  list_policy {
    allow {
      values = ["in:us-locations", "in:eu-locations"]
    }
  }
}

resource "google_organization_policy" "require_os_login" {
  org_id     = var.org_id
  constraint = "constraints/compute.requireOsLogin"

  boolean_policy {
    enforced = true
  }
}

resource "google_folder_organization_policy" "dev_folder_external_ip" {
  folder     = google_folder.dev.name
  constraint = "constraints/compute.vmExternalIpAccess"

  list_policy {
    allow {
      values = ["projects/dev-project/zones/us-central1-a/instances/bastion-host"]
    }
  }
}

Dry-Run Testing

Use Policy Intelligence tools to test changes before enforcement:

# Create a dry-run policy to monitor impact
gcloud org-policies set-policy \
  --organization=ORGANIZATION_ID \
  dry-run-policy.yaml

dry-run-policy.yaml:

constraint: constraints/compute.vmExternalIpAccess
listPolicy:
  allValues: DENY
dryRunSpec: true
# Check violations against dry-run policy
gcloud org-policies list-custom-constraints \
  --organization=ORGANIZATION_ID

Custom Constraints

# custom-constraint.yaml
name: organizations/ORGANIZATION_ID/customConstraints/custom.disableGKEAutoUpgrade
resourceTypes:
  - container.googleapis.com/NodePool
methodTypes:
  - CREATE
  - UPDATE
condition: "resource.management.autoUpgrade == true"
actionType: DENY
displayName: Deny GKE auto-upgrade on node pools
description: Prevents enabling auto-upgrade on GKE node pools for controlled upgrades
gcloud org-policies set-custom-constraint custom-constraint.yaml

Monitoring and Compliance

List active policies

gcloud org-policies list --organization=ORGANIZATION_ID

Describe a specific policy

gcloud org-policies describe constraints/compute.vmExternalIpAccess \
  --organization=ORGANIZATION_ID

Audit policy violations with Cloud Asset Inventory

gcloud asset search-all-resources \
  --scope=organizations/ORGANIZATION_ID \
  --query="policy:constraints/compute.vmExternalIpAccess"

Recommended Baseline Policies

ConstraintTypeScopePurpose
compute.vmExternalIpAccessList/DenyOrgPrevent public VM IPs
gcp.resourceLocationsList/AllowOrgRestrict to approved regions
iam.disableServiceAccountKeyCreationBooleanOrgForce Workload Identity
compute.requireOsLoginBooleanOrgMandate OS Login for SSH
storage.uniformBucketLevelAccessBooleanOrgEnforce uniform bucket access
sql.restrictPublicIpBooleanOrgNo public Cloud SQL
compute.disableSerialPortAccessBooleanOrgDisable serial port
compute.disableNestedVirtualizationBooleanOrgNo nested VMs

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Monitoring)
  • ISO 27001: A.8.1 (Asset Management), A.13.1 (Network Security), A.14.1 (System Acquisition)
  • NIST 800-53: AC-3 (Access Enforcement), SC-7 (Boundary Protection), CM-7 (Least Functionality)
  • NIST CSF: PR.AC (Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add implementing-gcp-organization-policy-constraints

# Or load dynamically via MCP
grc.load_skill("implementing-gcp-organization-policy-constraints")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • GCP Organization Policy Constraints: https://docs.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  • GCP Policy Intelligence: https://cloud.google.com/policy-intelligence
  • CIS GCP Foundations Benchmark

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add implementing-gcp-organization-policy-constraints
// Or via MCP
grc.load_skill("implementing-gcp-organization-policy-constraints")

Tags

gcporganization-policyconstraintsgovernancecompliancecloud-securityresource-manager

Related Skills

Cloud Security

Auditing GCP IAM Permissions

6m·intermediate
Cloud Security

Implementing AWS Config Rules for Compliance

6m·intermediate
Cloud Security

Implementing AWS Security Hub Compliance

6m·intermediate
Cloud Security

Implementing Cloud Security Posture Management

6m·intermediate
Cloud Security

Implementing GCP Vpc Firewall Rules

6m·intermediate
Cloud Security

Performing GCP Security Assessment with Forseti

6m·intermediate

Skill Details

Domain
Cloud Security
Difficulty
intermediate
Read Time
3 min
Code Examples
19

On This Page

OverviewPrerequisitesCore ConceptsEssential Security ConstraintsTerraform ImplementationDry-Run TestingCustom ConstraintsMonitoring and ComplianceRecommended Baseline PoliciesReferencesVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →