Introduction to Organization Security Policies
In a large-scale enterprise environment, managing security project by project is not just inefficient—it's dangerous. For the Associate Cloud Engineer (ACE), the ability to implement Organization Security Policies (also known as Org Policies) is what separates a junior admin from a cloud professional. Organization Security Policies provide a centralized and programmatic way to enforce "guardrails" across your entire Google Cloud resource hierarchy.
While IAM focuses on "Who" can do "What," Organization Security Policies focus on "What" can be done on "Which" resources, regardless of who is trying to do it. Combined with Cloud Audit Logs, which record every action taken within your environment, these tools form the bedrock of governance and compliance in Google Cloud. In this guide, we will dive deep into how Organization Security Policies work, the different types of audit logs available, and how to use them to maintain a secure posture.
白話文解釋(Plain English Explanation)
To simplify the concepts of Organization Security Policies and audit logging, let's use three distinct analogies.
1. The Traffic Law System (Traffic Lights Analogy)
Think of Organization Security Policies as the national traffic laws.
- The law says "No driving over 100 km/h" or "No turning left at this intersection."
- It doesn't matter if you are a professional driver or a student; the law applies to everyone.
- Cloud Audit Logs are the traffic cameras and speed sensors. They don't stop you from speeding, but they record exactly when you did it, providing evidence for later review.
2. The Shared Workbench (Workbench Analogy)
Imagine a massive workshop where many teams share the same Workbench.
- The workshop owner sets Organization Security Policies like "No power tools after 10 PM" or "All dangerous chemicals must be stored in the red cabinet."
- These rules prevent any single team from accidentally burning down the building.
- Even if a team leader (Project Owner) wants to ignore the rules, the building's safety system (Org Policy) physically prevents the power tools from turning on.
3. The Postal System Registry (Postal System Analogy)
Consider the Cloud Audit Logs as the Postal System's certified mail registry.
- Every time a package (data) is sent or a mailbox (resource) is opened, a clerk writes it down in a logbook.
- Organization Security Policies are the postal regulations, such as "No shipping of hazardous materials" or "Packages to certain countries must be inspected."
- The logbook allows the postmaster to look back and see exactly who sent what and when, ensuring that all regulations were followed.
Enforcing Guardrails with Organization Policy Constraints
The core of Organization Security Policies is the "Constraint." A constraint is a blueprint for a security rule.
Types of Constraints
- List Constraints: These allow or deny specific values from a list. For example,
constraints/compute.allowedExternalIpTypescan restrict your VMs to only use static IP addresses, banning ephemeral ones. - Boolean Constraints: These are simple ON/OFF switches. For example,
constraints/compute.disableSerialPortAccesscompletely shuts down serial port access for all VMs in a project or folder.
An Organization Policy Constraint is a specific restriction that can be applied to a resource container (Organization, Folder, or Project) to control the configuration of Google Cloud resources. Source ↗
Why Org Policies Trump IAM
A common mistake on the ACE exam is thinking IAM is enough. However, Organization Security Policies take precedence. If an Org Policy forbids the creation of external IPs, even a Project Owner with full administrative rights will be blocked from creating a VM with a public IP.
For ACE residency and hardening scenarios, lean on specific Resource Manager constraints: use the boolean constraints/compute.disableSerialPortAccess to lock down VM serial-port access, the list constraints/compute.allowedExternalIpTypes to limit external IPs, and constraints/gcp.resourceLocations to keep resources inside approved regions. These constraints are evaluated before IAM, so they apply even to Project Owners.
Source ↗
Inheritance and Overriding in Organization Security Policies
Organization Security Policies follow the Google Cloud resource hierarchy (Organization > Folders > Projects).
Policy Inheritance
By default, a policy set at the Organization level flows down to every folder and project beneath it. This ensures a consistent security baseline for the entire company.
Overriding and Merging
In some cases, a specific project might need an exception.
- Override: A project-level policy can completely replace the inherited one (if the parent policy allows it).
- Merge: For list constraints, you can choose to merge the child's allowed list with the parent's, creating a union of allowed values.
When troubleshooting access issues, always check the inherited Organization Security Policies. A 'Permission Denied' error might not be an IAM issue, but a constraint enforced at the folder or organization level. Source ↗
Mastering Cloud Audit Logs for Security
While Organization Security Policies prevent unauthorized actions, Cloud Audit Logs tell you what actually happened. There are four main types of logs you need to know for the ACE exam.
1. Admin Activity Logs
These logs record any action that modifies the configuration or metadata of a resource. For example, creating a VM or changing an IAM policy.
- Status: Always enabled.
- Cost: Free of charge.
2. Data Access Logs
These record operations that read or write data within a service, such as reading an object from a Cloud Storage bucket.
- Status: Disabled by default (except for BigQuery).
- Cost: Can be expensive due to high volume.
Because Data Access Logs can generate massive amounts of data, they are turned off by default to save costs. You must explicitly enable them in the IAM & Admin console for the specific services you want to track. Source ↗
3. System Event Logs
These record non-human actions taken by Google Cloud, such as an automatic migration of a VM due to maintenance.
4. Policy Denied Logs
These are triggered when an action is blocked by an Organization Security Policy or a VPC Service Control perimeter.
VPC Service Controls: Building a Service Perimeter
Beyond standard Organization Security Policies, Google Cloud offers VPC Service Controls (VPC SC) to prevent data exfiltration.
The Service Perimeter
VPC SC allows you to define a "Service Perimeter" around your sensitive resources. This perimeter acts like a wall that prevents data from being copied to resources outside the perimeter, even if the user has valid IAM credentials.
VPC Service Controls (VPC SC) is a security feature that creates a virtual perimeter around Google Cloud resources to mitigate the risk of data exfiltration and unauthorized access from unauthorized networks. Source ↗
Context-Aware Access
By combining VPC SC with Access Context Manager, you can enforce "Context-Aware" rules. For example: "Only allow access to this BigQuery dataset if the user is on a company laptop and coming from a specific office IP address."
Exporting Logs for Compliance
A key part of Organization Security Policies and governance is long-term log retention. Cloud Logging only keeps logs for a limited time (e.g., 30 or 400 days).
Logging Sinks
To meet legal requirements, you should use Sinks to export your Cloud Audit Logs to:
- Cloud Storage: For low-cost, long-term "cold" storage (archival).
- BigQuery: For complex security analysis and SQL querying.
- Pub/Sub: To stream logs to a third-party security tool like Splunk or Datadog.
To export logs for the entire organization, create an 'Aggregated Sink' at the Organization level. This ensures that logs from all current and future projects are automatically captured. Source ↗
Monitoring Security with Security Command Center
Security Command Center (SCC) is Google Cloud's centralized security management platform. It works hand-in-hand with your Organization Security Policies.
Finding Misconfigurations
SCC automatically scans your environment for violations of Organization Security Policies. If someone creates an open S3 bucket or a VM with a public IP in a project where it's forbidden, SCC will flag it as a "Finding."
Threat Detection
SCC can also detect threats like brute-force SSH attacks or cryptomining by analyzing Cloud Audit Logs in real-time.
Using gcloud for Organization Security Policies
The CLI is a powerful tool for managing security at scale.
Viewing a Policy
gcloud resource-manager org-policies describe \
constraints/compute.disableSerialPortAccess \
--project=my-project-id
Setting a Policy
To set a policy, you usually create a YAML file defining the constraint and then apply it:
gcloud resource-manager org-policies set-policy policy.yaml --project=my-project-id
Reading Audit Logs
gcloud logging read "protoPayload.serviceName=compute.googleapis.com" --limit=10
Use the flag '--organization=ORGANIZATION_ID' instead of '--project' to view or set policies that apply to the entire company hierarchy. Source ↗
Best Practices for Enterprise Security Governance
To build a truly secure environment using Organization Security Policies, follow these guidelines:
- Deny by Default: Start by banning high-risk activities (like external IPs) at the Org level and only grant exceptions to specific projects.
- Enable Data Access Logs for PII: Always track access to buckets or databases containing Personally Identifiable Information (PII).
- Audit Your Sinks: Ensure your log sinks are working and that the destination (e.g., a GCS bucket) has its own strict Organization Security Policies.
- Use Tags: Use Resource Tags to conditionally apply Organization Security Policies to specific environments (e.g., "Prod" vs "Dev").
Common Exam Scenarios for ACE
Scenario 1: Preventing Shadow IT
"You want to ensure that no developer in any project can ever create a resource in a region outside of Europe."
- Answer: Apply an Organization Security Policy with the
constraints/gcp.resourceLocationsconstraint at the Organization level.
Scenario 2: Investigating a Breach
"An administrator's account was compromised, and you need to see every change they made to the networking configuration in the last 24 hours."
- Answer: Search the Admin Activity Logs in Cloud Logging, filtering by the user's email and the
compute.googleapis.comservice.
Scenario 3: Data Exfiltration Prevention
"A user has the 'Storage Admin' role but still cannot copy data from a production bucket to their personal project."
- Answer: This is likely caused by a VPC Service Controls perimeter that includes the production project but excludes the personal project.
FAQ
Q1: Can I delete an Organization Policy? A: You can "reset" a policy to its default state or delete the specific override at a project level, which will cause it to inherit from its parent again.
Q2: How long does it take for a new Org Policy to take effect? A: Changes to Organization Security Policies are usually effective within a few minutes.
Q3: Does Cloud Logging charge for Admin Activity Logs? A: No, these are provided for free as they are essential for security.
Q4: What is the difference between a Boolean and a List constraint? A: Boolean is a true/false switch (e.g., "Disable IP Forwarding"). List allows choosing from a set of values (e.g., "Allowed VM Machine Types").
Q5: Can I export logs to a different GCP project? A: Yes. It is a best practice to have a dedicated "Security Project" where all logs from the organization are sent and stored.
Summary Checklist for ACE
- Understand the difference between IAM (Who) and Org Policies (What/Where).
- Know how to use List and Boolean constraints in Organization Security Policies.
- Memorize the four types of Cloud Audit Logs and their default status.
- Explain the purpose of a VPC Service Controls perimeter.
- Identify the destinations for log sinks (GCS, BigQuery, Pub/Sub).
- Use
gcloudto describe and set Organization Security Policies. - Apply the principle of centralized governance at the Organization level.