An organization policy is a restriction or constraint that you can set over the use of a service. For example, you may want to restrict the use of public IPs to some specifics VMs only (or none). The restriction is set on a resource hierarchy node, meaning you set it at the organization, folder, or project level. The types of restrictions and how inheritance is applied is well explained in the public documentation.
Organization policies are of major importance as those allow you to enforce and propagate governance rules across all your entire Google Cloud organization. Those policies can be set up quickly and will prevent your company from undesired wrong practices taken by your different teams. Organization policies also help being compliant with different regulatory policies. For example, you can limit sharing with external parties or determine where to deploy cloud resources geographically.
Here is a list of some key organizational policies we usually recommend companies to activate:
Restrict geographic regions for resources deployment
Restrict the physical location of newly created resources by restricting resource locations. This way you are sure that no one can create a resource in a non-authorized region.
Restrict Public IP access on Cloud SQL instances
Self-explanatory, you should keep your systems out of public reach as much as possible. Planning for mainly private connectivity is a must.
Enforce Public Access Prevention
Secure your Cloud Storage data from public exposure, in the same spirit as with the network. Only authorized people and not all users should have access to your data.
Enforce uniform bucket-level access
Ensure all your Cloud Storage objects have the same permissions applied, that of the bucket. That will make easier to control and audit every object has appropriate permissions.
Domain restricted sharing
Restrict which domains can be added to an IAM policy and get permissions on your resources. Only users in your organization should, you don't want to allow random gmail accounts access your systems, do you?
Disable service account key creation
Service account keys represent a big responsibility and security risk, and you should employ Google-managed keys as much as possible. For the few cases when that's not possible you may want to read this article.
Disable service account key upload
Another way to use user-managed keys is to create them locally and upload them to Cloud. Again, try not to rely on it.
Restrict shared VPC project lien removal
A shared VPC project is a very important piece in a deployment since its VPC usually hosts many service projects. Protect yourself from errors adding one more step (and IAM permissions) to delete it.
There are close to hundred organization policies that can be set up and while we insist on a few ones, we will check with your team what other policies make sense for your company.
At this stage it's also important to assign someone as "Organization Policy Adminsitrator" within your company. This person will be responsible for activating and guardkeeping Google Clodu organization policies for your company. The following diagram gives a good context about the implication of this role:
