CoursesGCP securityIAM & resource hierarchy

Resource hierarchy & org policy

Org → folders → projects, and inherited guardrails.

Advanced30 min · lesson 1 of 15

GCP security starts with the resource hierarchy, because that tree is what IAM allow policies and organization policies flow down. Get the shape right and guardrails apply everywhere by inheritance; get it wrong and you are re-applying controls project by project and missing some.

Organization → Folders → Projects → resources

The organization is the root, folders group projects by team or environment, and projects are the unit of isolation and billing. An IAM binding at a folder is inherited by every project beneath it; an organization policy constraint set at the org applies to all of it unless deliberately relaxed lower down. The project is your primary blast-radius boundary — prod, staging, and shared services belong in separate projects so a compromise in one cannot reach another.

a hierarchy with inherited guardrails
Organization (acme.com)
├─ Folder: security → org policies + log sink live here
│ ├─ Project: logging (locked log buckets, aggregated sink)
│ └─ Project: scc-tooling (Security Command Center)
├─ Folder: production → stricter org policies inherited by all prod
│ ├─ Project: payments-prod
│ └─ Project: web-prod
└─ Folder: sandbox → looser policies, no prod data
# Org policy set on the "production" folder is inherited by every project in it:
gcloud resource-manager org-policies enable-enforce \
constraints/compute.requireShieldedVm --folder=FOLDER_ID

Organization policies are configuration guardrails

Organization policies are distinct from IAM: IAM decides who-can-do-what, org policy decides what-configuration-is-allowed-at-all. Constraints like disabling service-account key creation, requiring OS Login, blocking external IPs on VMs, and restricting resource sharing to your own domain cap the whole hierarchy below where they are set — and even a project Owner cannot cross them. They are the preventive backbone of a landing zone.

Two independent control planes
IAM — who can act
allow policies (additive down)
grants inherited by children
deny policies (evaluated first)
block matching principals
Org policy — allowed config
constraints inherited down
disable SA keys, no external IPs…
even Owner cannot cross
preventive guardrails
IAM and org policy answer different questions. A secure GCP org uses both — grants scoped tightly, configuration fenced by constraints.
The organization node is the crown jewels
Whoever holds Organization Admin or Owner controls every folder, project, org policy, and log sink. Grant it to a tiny break-glass group behind strong MFA, use it almost never, alert on its use, and do routine work through scoped roles lower in the hierarchy.