Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict the Creation of Cloud Resources to Specific Locations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the locations where location-based cloud resources can be created within your GCP organization are defined using the "Google Cloud Platform - Resource Location Restriction" organization policy. This constraint policy helps you achieve regulatory compliance by explicitly defining the locations allowed to deploy Google Cloud resources for your organization. You can specify multi-regions such as "asia" and "europe" and individual regions such as "us-east1" or "europe-west2" as allowed locations. You can specify value groups, collections of locations that are curated by Google Cloud to provide a simple way to define your resource locations. To use value groups with the "Google Cloud Platform - Resource Location Restriction" policy, prefix your entries with the string in: followed by the value group. The list of allowed locations must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

With "Google Cloud Platform - Resource Location Restriction" constraint policy you can limit the physical location of a new Google Cloud resource within your GCP organization. This policy enables you to define the allowed locations where the cloud resources for supported services in your hierarchy can be created in order to comply with your organization`s internal regulations. After you configure the allowed resource locations, this limitation will apply only to newly-created GCP resources. The resources that you created before setting the resource locations constraint will continue to exist and perform their function as expected.

Note: To avoid breaking existing cloud infrastructure, you should test the "Google Cloud Platform - Resource Location Restriction" constraint policy on non-production projects and folders within your organization, then configure and apply the policy gradually.

Audit

To determine if the location-based restriction is enabled within your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Google Cloud Platform - Resource Location Restriction to return only the “Google Cloud Platform - Resource Location Restriction” policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the policy constraints are not enforced in your organization, therefore Google Cloud resources can be deployed to any location, without restriction, within the selected Google Cloud Platform (GCP) organization.

08 Repeat steps no. 2 – 7 for each organization available in in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement configuration of the “Google Cloud Platform - Resource Location Restriction” policy (i.e. "gcp.resourceLocations"), available for the selected GCP organization: 

gcloud alpha resource-manager org-policies describe "gcp.resourceLocations"
  --effective
  --organization=112233441122
  --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information: 

ALLOW

If the resource-manager org-policies describe command output returns ALLOW, as shown in the example above, the “Google Cloud Platform - Resource Location Restriction” policy constraints are not enforced within your organization, therefore Google Cloud resources can be deployed to any location, without restriction, in the selected Google Cloud Platform (GCP) organization.

05 Repeat step no. 3 and 4 for each organization created within in your Google Cloud account.

Remediation / Resolution

To implement the restriction of creating Google Cloud resources within specific locations, at the GCP organization level, enable and configure the “Google Cloud Platform - Resource Location Restriction” organization policy by performing the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict the Creation of GCP Resources to Specific Locations conformity rule settings and note the list of Google Cloud Platform locations where Google Cloud resources can be created within your organization.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Google Cloud Platform - Resource Location Restriction to return the “Google Cloud Platform - Resource Location Restriction” policy.

07 Click on the name of the GCP organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following operations:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. To override the inherited policies completely, select Replace under Policy enforcement.
  3. To use explicit values, select Custom from the Policy values dropdown list.
  4. For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
  5. In the Custom values section, use the configuration controls to define the Google Cloud Platform (GCP) locations to be allowed for creating Google Cloud resources within the selected organization, identified at step no. 1. Use the in: prefix and the location string to define an allowed GCP location where you can deploy cloud resources. For example, in:us-locations or in:us-west1-locations. You can enter specific zones, regions, or multi-region locations as location strings. The list of available GCP locations can be found on the Resource Locations Supported Services page.
  6. (Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is just a communication tool, and does not affect the policy configuration.
  7. Click SAVE to apply the changes and enforce the “Google Cloud Platform - Resource Location Restriction” policy constraints.

10 If required, repeat steps no. 3 – 9 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict the Creation of GCP Resources to Specific Locations conformity rule settings and note the list of Google Cloud Platform locations where Google Cloud resources can be created within your organization.

02 Define the “Google Cloud Platform - Resource Location Restriction” organization policy constraints and save the YAML policy document to a file named cc-restrict-gcp-location-policy.yaml. Use the list of allowed Google Cloud Platform (GCP) locations identified at step no. 1 to configure the allowed_values list. The following policy configuration example allows the creation of Google Cloud resources in all zones within South Carolina (i.e. us-east1-locations), for the specified GCP organization. Use the in: prefix and the location string to define an allowed GCP location where you can deploy cloud resources (e.g. in:us-east1-locations). You can enter specific zones, regions, or multi-region locations as location strings. The list of available GCP locations can be found on the Resource Locations Supported Services page: 

constraint: constraints/gcp.resourceLocations
listPolicy:
  allowed_values:
    in:us-east1-locations

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the “Google Cloud Platform - Resource Location Restriction” policy, using the policy configuration defined at the previous step, for the selected organization: 

gcloud beta resource-manager org-policies set-policy cc-restrict-gcp-location-policy.yaml
  --organization=112233441122

04 The command request should return the enforced organization policy metadata: 

constraint: constraints/gcp.resourceLocations
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - in:us-east1-locations
updateTime: '2020-07-19T10:00:00.000Z'

05 If required, repeat step no. 3 and 4 to enforce the policy for other organizations created within your Google Cloud account.

References

Publication date May 4, 2021

Related ResourceManager rules