Org policy & landing zones
Preventive constraints and secure-by-default projects.
Everything in this course is more durable as a default than as a thing each team remembers to do. Organization policy plus an automated landing zone apply the non-negotiables to every new project, so it arrives already fenced rather than after a hardening sprint.
Preventive constraints beat detective findings
A Security Command Center finding tells you a bucket went public after the fact; an organization policy constraint stops it from ever being made public. For the non-negotiables — no service-account keys, no external IPs on VMs, no public IPs on Cloud SQL, domain-restricted sharing, required OS Login — encode them as org policy constraints inherited down the hierarchy, where even a project Owner cannot cross them. Prevention closes the window that detection can only report on.
# Applied at the org (or a folder), inherited by every project below.gcloud resource-manager org-policies enable-enforce constraints/iam.disableServiceAccountKeyCreation --organization=ORG_IDgcloud resource-manager org-policies enable-enforce constraints/compute.vmExternalIpAccess --organization=ORG_IDgcloud resource-manager org-policies enable-enforce constraints/sql.restrictPublicIp --organization=ORG_IDgcloud resource-manager org-policies set-policy domain-restricted-sharing.yaml # allowedPolicyMemberDomains
Secure-by-default projects
A project factory — Terraform modules, the Project Factory, or Cloud Foundation Toolkit — provisions each new project with the baseline already in place: the aggregated log sink wired to the logging project, org-policy constraints inherited, VPC attachment via Shared VPC, SCC enabled, and least-privilege service accounts instead of the over-privileged defaults. Teams request a project and receive a secure one, with no window in which it sits unprotected and no checklist to forget. For sovereignty regimes, Assured Workloads pins region, personnel, and key requirements automatically.