Safeguard
Cloud Security

Using GCP organization policy constraints to enforce secu...

GCP organization policy security constraints turn security intent into enforceable guardrails across your resource hierarchy, closing gaps IAM alone cannot.

Karan Patel
Cloud Security Engineer
8 min read

In March 2023, a mid-sized fintech's GCP environment was compromised when a contractor's service account key, exported months earlier and forgotten in a CI script, ended up in a public GitHub repository. The attacker didn't need to breach a firewall — they authenticated directly with the leaked key and pivoted across three projects before anyone noticed. Incidents like this are exactly why GCP organization policy security constraints exist: centrally managed, inheritance-based rules that block risky configurations before a human ever gets the chance to misconfigure them. Unlike IAM, which governs who can do what, org policies govern what is possible at all, regardless of who is asking. For security teams managing dozens or hundreds of projects, that distinction is the difference between hoping engineers follow the rules and guaranteeing they can't break them.

What Are GCP Organization Policy Security Constraints, and Why Do They Matter?

GCP organization policy security constraints are boolean, list, and custom rules enforced through the Organization Policy Service at the organization, folder, or project level, and they matter because they close gaps that identity and access management alone cannot. IAM answers "can this user call this API?" Org policy answers "does this API call produce an outcome we've decided is never acceptable?" As of 2024, Google Cloud ships more than 130 predefined constraints, covering everything from disabling serial port access on Compute Engine, to blocking public IP assignment on VMs, to requiring OS Login instead of SSH key metadata. A single admin with orgpolicy.policyAdmin can set a constraint once at the top of the hierarchy and have it apply instantly to every project created that day, next quarter, or five years from now — no per-project onboarding checklist required.

This matters most in fast-growing engineering organizations where project sprawl outpaces any manual review process. If your security team is reviewing new GCP projects by hand, you're already behind; a developer can spin up a project and a public-facing Cloud SQL instance in the time it takes to file the review ticket. Org policies collapse that race condition by making the unsafe state unreachable in the first place.

How Does Resource Hierarchy Security in GCP Affect Policy Enforcement?

Resource hierarchy security in GCP works through downward inheritance, meaning a constraint set at the organization node automatically applies to every folder, project, and resource beneath it unless a lower node explicitly overrides it. Picture an organization with four folders — Production, Staging, Development, and Sandbox — spanning 214 projects. Setting constraints/compute.vmExternalIpAccess to deny at the organization root protects all 214 projects simultaneously. But if the Sandbox folder needs external IPs for a demo environment, an admin can attach a more permissive policy directly to that folder, and only projects under Sandbox inherit the exception.

This hierarchy is powerful, but it's also where most enforcement gaps hide. A common failure mode: a security team locks down the org root, then a well-meaning platform engineer creates a broad exception at a folder two levels up to unblock a single team, and that exception silently propagates to every project added to that folder afterward. Getting resource hierarchy security in GCP right means treating every inherited exception as a standing liability that needs an owner, an expiration, and a documented reason — not a one-time favor that gets forgotten.

Why Should You Restrict Service Account Key Creation Policy Org-Wide?

You should restrict service account key creation policy at the organization level because long-lived, downloadable JSON keys are one of the most common sources of credential leaks in cloud breaches, and unlike short-lived tokens, a leaked key stays valid until someone remembers to revoke it. Google's own incident response guidance has repeatedly named exposed service account keys among the top initial-access vectors in cloud compromises, precisely because they're portable: a key copied into a laptop, a CI log, or a public repo works from anywhere, with no session expiry forcing re-authentication.

The constraint iam.disableServiceAccountKeyCreation blocks the creation of new user-managed keys org-wide, and its companion iam.disableServiceAccountKeyUpload prevents anyone from uploading a public key to an existing service account to mint their own credential. Together they push teams toward Workload Identity Federation and attached service accounts, which grant short-lived, automatically rotated credentials scoped to a specific workload instead of a static file that can outlive the project it was created for. Most organizations that adopt this pair of constraints do it in two phases: first enabling iam.disableServiceAccountKeyCreation org-wide with narrow, time-boxed exceptions for legacy pipelines still migrating off static keys, then closing the upload path once key inventories are clean. Teams that skip the audit step and flip the constraint on everywhere at once tend to spend the following week fielding break-glass exception requests instead of preventing them.

What Are the Most Critical Org Policy Constraints to Enable First?

The most critical constraints to enable first are the ones that block public exposure and credential sprawl, because those two categories account for the overwhelming majority of cloud misconfiguration findings in customer audits. In practice, five constraints do most of the work: iam.disableServiceAccountKeyCreation (stops static key sprawl), compute.vmExternalIpAccess (blocks unintended internet-facing VMs), sql.restrictPublicIp (keeps Cloud SQL instances off the public internet), storage.publicAccessPrevention (prevents Cloud Storage buckets from being made public regardless of individual object ACLs), and iam.allowedPolicyMemberDomains (restricts IAM bindings to approved identity domains, blocking accidental grants to personal Gmail accounts).

Enabling these five at the organization root, before onboarding a single additional project, addresses a large share of the misconfiguration classes teams typically discover only after a security review or a failed compliance audit. The sequencing matters: start with storage.publicAccessPrevention and sql.restrictPublicIp, which almost never break legitimate workflows, then move to the identity-related constraints once you've inventoried which teams still depend on static keys or external member domains. Rolling out all five simultaneously in a mature environment with years of undocumented exceptions is how a well-intentioned rollout turns into a week of incident tickets.

What Org Policy Best Practices Prevent Configuration Drift?

Org policy best practices that prevent drift center on treating policies as code, testing changes before enforcing them, and auditing exceptions on a fixed schedule rather than reactively. Google's policy dry-run mode, generally available since 2022, lets you attach a constraint in evaluation-only mode and see which resources would be denied before you flip enforcement on — this alone catches most of the "wait, that broke production" surprises before they happen. Managing constraints through Terraform's google_org_policy_policy resource (or the older google_organization_policy resource) instead of the console means every change goes through code review and leaves an audit trail, which matters as much for SOC 2 evidence as it does for catching a bad change before it merges.

The second pillar of org policy best practices is a recurring exception review. Every folder- or project-level override of an org-wide constraint should carry a ticket reference, an owner, and a review date — a quarterly cadence is a reasonable default for most organizations. Google's newer tag-based conditional policies, generally available since 2023, make this more precise: instead of exempting an entire folder, you can scope an exception to resources carrying a specific tag, shrinking the blast radius of every exception you grant. Organizations that skip this review step tend to discover, a year or two later, that a "temporary" exception from a since-departed engineer is now the reason half their sandbox folder has public IPs enabled.

How Safeguard Helps

Safeguard gives security and platform teams continuous visibility into how org policy constraints are actually configured and enforced across the resource hierarchy — not just what's documented in a wiki page from eighteen months ago. Instead of relying on quarterly manual audits, Safeguard continuously maps your GCP organization, folder, and project structure, flags where inherited constraints have been overridden, and surfaces which of those overrides lack an owner, a ticket, or an expiration date.

For the specific risks covered in this post, Safeguard tracks whether iam.disableServiceAccountKeyCreation and its related identity constraints are enforced consistently across every project — including ones spun up yesterday — and alerts when a new project drifts from your organization's baseline before it becomes production infrastructure. That baseline maps directly to control evidence for SOC 2 and similar frameworks, so the same guardrail configuration that stops a misconfiguration from shipping also generates the audit trail your compliance team needs at review time. The goal isn't another dashboard to check — it's making sure the guardrails you set at the org root today are still the guardrails actually protecting project number 214 next quarter, without anyone having to remember to look.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.