implementing-gcp-organization-policy-constraints
Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.
Best use case
implementing-gcp-organization-policy-constraints is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.
Teams using implementing-gcp-organization-policy-constraints should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-gcp-organization-policy-constraints/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-gcp-organization-policy-constraints Compares
| Feature / Agent | implementing-gcp-organization-policy-constraints | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Implementing GCP Organization Policy Constraints
## Overview
The GCP Organization Policy Service provides centralized and programmatic control over cloud resources. Organization policies configure constraints that restrict one or more Google Cloud services, enforced at organization, folder, or project levels. They improve security by blocking external IPs, requiring encryption, and minimizing unauthorized access. Changes can take up to 15 minutes to propagate.
## When to Use
- When deploying or configuring implementing gcp organization policy constraints capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- GCP Organization with Organization Administrator role
- `gcloud` CLI configured and authenticated
- Terraform or gcloud for policy management
- Organization Policy Administrator IAM role (`roles/orgpolicy.policyAdmin`)
## Core Concepts
### Constraint Types
1. **List Constraints**: Allow or deny specific values (e.g., allowed regions)
2. **Boolean Constraints**: Enable or disable a capability (e.g., disable serial port access)
3. **Custom Constraints**: User-defined rules targeting specific resource fields (Preview)
### Policy Inheritance
Policies inherit from the lowest ancestor with an enforced policy. If no ancestor has a policy, Google's managed default behavior applies.
## Essential Security Constraints
### Restrict VM External IP Addresses
```bash
# Deny external IP addresses on all VMs
gcloud resource-manager org-policies set-policy \
--organization=ORGANIZATION_ID \
policy.yaml
```
policy.yaml:
```yaml
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: DENY
```
### Restrict Resource Locations
```bash
gcloud org-policies set-policy \
--organization=ORGANIZATION_ID \
location-policy.yaml
```
location-policy.yaml:
```yaml
constraint: constraints/gcp.resourceLocations
listPolicy:
allowedValues:
- "in:us-locations"
- "in:eu-locations"
```
### Disable Default Service Account Creation
```yaml
constraint: constraints/iam.automaticIamGrantsForDefaultServiceAccounts
booleanPolicy:
enforced: true
```
### Require OS Login for SSH
```yaml
constraint: constraints/compute.requireOsLogin
booleanPolicy:
enforced: true
```
### Disable Serial Port Access
```yaml
constraint: constraints/compute.disableSerialPortAccess
booleanPolicy:
enforced: true
```
### Enforce Uniform Bucket-Level Access
```yaml
constraint: constraints/storage.uniformBucketLevelAccess
booleanPolicy:
enforced: true
```
### Restrict Public IP on Cloud SQL
```yaml
constraint: constraints/sql.restrictPublicIp
booleanPolicy:
enforced: true
```
### Disable Service Account Key Creation
```yaml
constraint: constraints/iam.disableServiceAccountKeyCreation
booleanPolicy:
enforced: true
```
## Terraform Implementation
```hcl
resource "google_organization_policy" "restrict_vm_external_ip" {
org_id = var.org_id
constraint = "constraints/compute.vmExternalIpAccess"
list_policy {
deny {
all = true
}
}
}
resource "google_organization_policy" "restrict_locations" {
org_id = var.org_id
constraint = "constraints/gcp.resourceLocations"
list_policy {
allow {
values = ["in:us-locations", "in:eu-locations"]
}
}
}
resource "google_organization_policy" "require_os_login" {
org_id = var.org_id
constraint = "constraints/compute.requireOsLogin"
boolean_policy {
enforced = true
}
}
resource "google_folder_organization_policy" "dev_folder_external_ip" {
folder = google_folder.dev.name
constraint = "constraints/compute.vmExternalIpAccess"
list_policy {
allow {
values = ["projects/dev-project/zones/us-central1-a/instances/bastion-host"]
}
}
}
```
## Dry-Run Testing
Use Policy Intelligence tools to test changes before enforcement:
```bash
# Create a dry-run policy to monitor impact
gcloud org-policies set-policy \
--organization=ORGANIZATION_ID \
dry-run-policy.yaml
```
dry-run-policy.yaml:
```yaml
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: DENY
dryRunSpec: true
```
```bash
# Check violations against dry-run policy
gcloud org-policies list-custom-constraints \
--organization=ORGANIZATION_ID
```
## Custom Constraints
```yaml
# custom-constraint.yaml
name: organizations/ORGANIZATION_ID/customConstraints/custom.disableGKEAutoUpgrade
resourceTypes:
- container.googleapis.com/NodePool
methodTypes:
- CREATE
- UPDATE
condition: "resource.management.autoUpgrade == true"
actionType: DENY
displayName: Deny GKE auto-upgrade on node pools
description: Prevents enabling auto-upgrade on GKE node pools for controlled upgrades
```
```bash
gcloud org-policies set-custom-constraint custom-constraint.yaml
```
## Monitoring and Compliance
### List active policies
```bash
gcloud org-policies list --organization=ORGANIZATION_ID
```
### Describe a specific policy
```bash
gcloud org-policies describe constraints/compute.vmExternalIpAccess \
--organization=ORGANIZATION_ID
```
### Audit policy violations with Cloud Asset Inventory
```bash
gcloud asset search-all-resources \
--scope=organizations/ORGANIZATION_ID \
--query="policy:constraints/compute.vmExternalIpAccess"
```
## Recommended Baseline Policies
| Constraint | Type | Scope | Purpose |
|-----------|------|-------|---------|
| compute.vmExternalIpAccess | List/Deny | Org | Prevent public VM IPs |
| gcp.resourceLocations | List/Allow | Org | Restrict to approved regions |
| iam.disableServiceAccountKeyCreation | Boolean | Org | Force Workload Identity |
| compute.requireOsLogin | Boolean | Org | Mandate OS Login for SSH |
| storage.uniformBucketLevelAccess | Boolean | Org | Enforce uniform bucket access |
| sql.restrictPublicIp | Boolean | Org | No public Cloud SQL |
| compute.disableSerialPortAccess | Boolean | Org | Disable serial port |
| compute.disableNestedVirtualization | Boolean | Org | No nested VMs |
## References
- GCP Organization Policy Constraints: https://docs.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- GCP Policy Intelligence: https://cloud.google.com/policy-intelligence
- CIS GCP Foundations BenchmarkRelated Skills
performing-dmarc-policy-enforcement-rollout
Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring all legitimate email sources are authenticated before blocking unauthorized senders.
performing-content-security-policy-bypass
Analyze and bypass Content Security Policy implementations to achieve cross-site scripting by exploiting misconfigurations, JSONP endpoints, unsafe directives, and policy injection techniques.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
implementing-zero-trust-network-access
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
implementing-zero-trust-network-access-with-zscaler
Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, context-aware access to private applications through the Zscaler Zero Trust Exchange.
implementing-zero-trust-in-cloud
This skill guides organizations through implementing zero trust architecture in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, and GCP environments.
implementing-zero-trust-for-saas-applications
Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for cloud-hosted services.
implementing-zero-trust-dns-with-nextdns
Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, privacy protection, and organizational policy enforcement across all endpoints.
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
implementing-zero-knowledge-proof-for-authentication
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
implementing-web-application-logging-with-modsecurity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.