Org Policy Update Detected on 2024-06-25

policies/org_policy.json

@@ -228,6 +228,13 @@
             "constraintDefault": "ALLOW",
             "booleanConstraint": {}
         },
+        {
+            "name": "constraints/compute.requireOsConfig",
+            "displayName": "Require OS Config",
+            "description": "This boolean constraint, when enforced, enables VM Manager (OS Config) on all new projects. All VM instances created in new projects will have VM Manager enabled. On new and existing projects, this constraint prevents metadata updates that disable VM Manager at the project or instance level. By default, VM Manager is disabled on Compute Engine projects.",
+            "constraintDefault": "ALLOW",
+            "booleanConstraint": {}
+        },
         {
             "name": "constraints/compute.requireShieldedVm",
             "displayName": "Shielded VMs",
@@ -303,7 +310,7 @@
         {
             "name": "constraints/gcp.restrictCmekCryptoKeyProjects",
             "displayName": "Restrict which projects may supply KMS CryptoKeys for CMEK",
-            "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.",
+            "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, workstations.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.",
             "constraintDefault": "ALLOW",
             "listConstraint": {
                 "supportsUnder": true
@@ -312,7 +319,7 @@
         {
             "name": "constraints/gcp.restrictNonCmekServices",
             "displayName": "Restrict which services may create resources without CMEK",
-            "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.",
+            "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com, workstations.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.",
             "constraintDefault": "ALLOW",
             "listConstraint": {}
         },
@@ -476,6 +483,13 @@
             "constraintDefault": "ALLOW",
             "listConstraint": {}
         },
+        {
+            "name": "constraints/storage.softDeletePolicySeconds",
+            "displayName": "Cloud Storage - soft delete policy retention duration in seconds",
+            "description": "This constraint defines the allowable retention durations for soft delete policies set on Cloud Storage buckets where this constraint is enforced. Any insert, update, or patch operation on a bucket where this constraint is enforced must have a soft delete policy duration that matches the constraint. When a new organization policy is enforced, the soft delete policy of existing buckets remains unchanged and valid. By default, if no organization policy is specified, a Cloud Storage bucket can have a soft delete policy of any duration.",
+            "constraintDefault": "ALLOW",
+            "listConstraint": {}
+        },
         {
             "name": "constraints/storage.restrictAuthTypes",
             "displayName": "Cloud Storage - restrict authentication types",
@@ -502,7 +516,7 @@
         {
             "name": "constraints/compute.restrictVpcPeering",
             "displayName": "Restrict VPC peering usage",
-            "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.",
+            "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. Each peering end is required to have peering permission. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.",
             "constraintDefault": "ALLOW",
             "listConstraint": {
                 "supportsUnder": true
@@ -620,7 +634,7 @@
         {
             "name": "constraints/gcp.restrictTLSVersion",
             "displayName": "Restrict TLS Versions",
-            "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrpyted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.",
+            "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrypted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.",
             "constraintDefault": "ALLOW",
             "listConstraint": {}
         },
@@ -722,7 +736,7 @@
         {
             "name": "constraints/compute.disableHybridCloudIpv6",
             "displayName": "Disable Hybrid Cloud IPv6 usage",
-            "description": "This boolean constraint, when set to True, disables the creation of or update to hybrid cloud resources including Cloud Router, Interconnect Attachments, and Cloud VPN with a stack_type of IPV4_IPV6. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in any projects, folders and organizations.",
+            "description": "This boolean constraint, when enforced, disables the creation of, or updates to, hybrid cloud resources including Interconnect Attachments and Cloud VPN gateways with a stack_type of IPV4_IPV6 or IPV6_ONLY, or a gatewayIpVersion of IPv6. If enforced on a Cloud Router resource, the ability to create IPv6 Border Gateway Protocol (BGP) sessions and the ability to enable IPv6 route exchange over IPv4 BGP sessions are disabled. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in projects, folders, and organizations.",
             "constraintDefault": "ALLOW",
             "booleanConstraint": {}
         },
@@ -819,8 +833,8 @@
         },
         {
             "name": "constraints/compute.disableSshInBrowser",
-            "displayName": "Disable SSH in browser",
-            "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.",
+            "displayName": "Disable SSH-in-browser",
+            "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console for VMs that use OS Login and App Engine flexible environment VMs. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.",
             "constraintDefault": "ALLOW",
             "booleanConstraint": {}
         },
@@ -834,14 +848,14 @@
         {
             "name": "constraints/commerceorggovernance.marketplaceServices",
             "displayName": "Restrict access on marketplace services",
-            "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If PRIVATE_MARKETPLACE is in the allowed value list, the private marketplace is enabled. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the private marketplace is disabled and the IaaS procurement governance experience is disabled. Also, the IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on the marketplace.",
+            "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If PRIVATE_MARKETPLACE is in the allowed value list, Google Private Marketplace is turned on. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, Google Private Marketplace is turned off and the IaaS procurement governance experience is turned off. Also, the IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on the marketplace.Important: We strongly recommend that you follow the instructions at https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace to turn on the Google Private Marketplace, instead of doing so via this organization policy. This will ensure that you avoid any configuration issues that may arise by manually including PRIVATE_MARKETPLACE in the list constraint.",
             "constraintDefault": "DENY",
             "listConstraint": {}
         },
         {
             "name": "constraints/commerceorggovernance.disablePublicMarketplace",
-            "displayName": "Disable Public Marketplace",
-            "description": "This boolean constraint, when enforced, disables public marketplace for all users under the org. By default, public marketplace access is enabled for the org.",
+            "displayName": "Disable public marketplace",
+            "description": "This boolean constraint, when enforced, turns off {{marketplace_name}} for all users under the organization. By default, public marketplace access is turned on for the organization. This policy only works when the Private Marketplace is enabled (https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace).Important: For the most optimal experience, we strongly recommend that you use the marketplace user access restrictions feature, as described in https://cloud.google.com/marketplace/docs/governance/strict-user-access to prevent unauthorized use of the marketplace in your organization, instead of doing so via this organization policy.",
             "constraintDefault": "ALLOW",
             "booleanConstraint": {}
         },
@@ -879,6 +893,13 @@
             "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. By default, there is no response. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ",
             "constraintDefault": "DENY",
             "listConstraint": {}
+        },
+        {
+            "name": "constraints/compute.requireBasicQuotaInResponse",
+            "displayName": "Disable fail-open behavior for list methods that display quota information for a region",
+            "description": "This boolean constraint, when enforced, disables the fail-open behavior on server-side failures for regions.list, regions.get, and projects.get methods. That means that if the quota information is unavailable, these methods fail when the constraint is enforced. By default, these methods succeed on server-side failures and display a warning message when the quota information is unavailable.",
+            "constraintDefault": "ALLOW",
+            "booleanConstraint": {}
         }
     ]
 }