Assured Workloads and the Organizational Policy Service

Assured Workloads

Assured Workloads provides Google Cloud customers with the ability to apply security controls to an environment, in support of compliance requirements, without compromising the quality of their cloud experience.

When customers create an Assured Workloads folder, the service creates the folders with a specified regulated data type, personnel controls, and data location packaged into preconfigured platform controls. For FedRAMP Moderate specifically, Assured Workloads sets:

1. support access controls for first-level support personnel who have completed enhanced background checks along
2. a Restrict Resource Service Usage organization policy constraint that limits the scopes of services to those that are compliant with FedRAMP Moderate
3. A Resource Location Restriction organization policy constraint that allows services to be deployed globally, in compliance with FedRAMP Moderate. See this example image:

In this sense, Assured Workloads is potentially adjusting existing Resource Location Restriction and Restrict Resource Service Usage for the FedRAMP Moderate folder to aid customers in meeting their compliance requirements. These Org Policies can be adjusted, as outlined below.

Fortunately, all other Organization Policies set at a parent level (e.g., policies defined at the Org-level) are remain applied — this was a conscious decision made by the Assured Workloads product team, as these new folders likely need to inherit the restrictions previously applied. Effectively, this Assured Workloads folder is analogous “Resource 1” in the example Org Policy Evaluation Hierarchy:

The easiest way to verify this is to check the Org Policies applied to the folder and if it says “Inherited” it means that the policy will follow the same rule as the parent folder or organization above this folder.

Adjusting Organization Policy Constraints

Creating or adjusting a Org Policy constraints requires that principal to have the Organization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization.

However, Assured Workloads does overwrite the Org Policies that may have been in place in favor of those that are necessary for the compliance framework. Recall that for FedRAMP Moderate specifically, Assured Workloads sets:

1. a Restrict Resource Service Usage organization policy constraint that limits the scopes of services to those that are compliant with FedRAMP Moderate
2. A Resource Location Restriction organization policy constraint that allows services to be deployed globally, in compliance with FedRAMP Moderate.

Therefore, it’s important to note that these policies are adjustable and can be restricted further to satisfy your specific control requirements.

Restrict Resource Service Usage

The Restrict Resource Service Usage organization policy constraint allows enterprise administrators to control which Google Cloud services can be used within their Google Cloud resource hierarchy. This constraint can only be enforced on services with resources that are the direct descendants of an organization, folder, or project resource.

It is likely that the full list of services in scope for FedRAMP Moderate are not necessary for your particular use case. Therefore, we recommend only including the services that will be included in your workload — for example, if your workload will only use Cloud Key Management Service, Cloud Storage, and BigQuery you would only allow cloudkms.googleapis.com, storage.googleapis.com, and bigquery.googleapis.com. Here is what it would look like:

You can adjust this policy by following these instructions.

Restrict Resource Locations

The Restrict Resource Locations organization policy constraint allows enterprise administrators to define the allowed Google Cloud locations where the resources for supported services in your hierarchy can be created. This limitation will apply only to newly-created resources.

Assured Workloads for FedRAMP Moderate does not restrict your resource locations — customers are able to deploy resources globally, as FedRAMP Moderate doesn’t specify data residency requirements. Nevertheless, some customers may prefer to have all resources in the United States — in this case, customers can modify the Restrict Resource Location policy such that newly-deployed resources can only be created in the United States. Resources you created before setting the resource locations constraint will continue to exist and perform their function.

Adjusting the policy to meet this need looks like so:

The baseline FedRAMP Moderate Resource Location Restriction policy

Adjusted Policy to ONLY allow US deployments

You can adjust this policy by following these instructions.

If you are interested in using Assured Workloads, please visit https://cloud.google.com/assured-workloads and sign up for a free trial!