L17. Compliance and Governance: Resource Manager Policies and Audit Logs
Video generating
Check back soon for the video lesson on Compliance and Governance: Resource Manager Policies and Audit Logs
Google Cloud provides governance tools to enforce organizational standards and prove compliance. The Digital Leader exam tests Organization Policy Service, Audit Logs, Security Command Center, and compliance certifications.
Organization Policy Service
Organization Policy Service lets you set centralized, programmatic constraints on Google Cloud resources across your entire organization. Key concept: An Organization Policy is a constraint applied at the Organization, Folder, or Project level that restricts what actions can be performed, regardless of IAM permissions. Examples of built-in constraints:
compute.vmExternalIpAccess: restrict VMs from having external IP addressescompute.requireShieldedVm: require all VMs to use Shielded VM security featuresstorage.uniformBucketLevelAccess: enforce uniform bucket-level access on all Cloud Storage bucketsiam.allowedPolicyMemberDomains: restrict which domains can be added to IAM policies
Cloud Audit Logs
Cloud Audit Logs record who did what, when, and from where across Google Cloud services. Four types of audit logs:
| Log Type | What It Captures | Enabled By Default |
|---|---|---|
| Admin Activity | Admin API calls that modify resources | Yes |
| Data Access | API calls that read resource data | No (must enable) |
| System Event | Automated changes by Google systems | Yes |
| Policy Denied | Requests denied by IAM or Organization Policy | Yes |
- Admin Activity logs are always on and cannot be disabled
- Data Access logs may generate high volume; enable selectively
- Logs are stored in Cloud Logging with a default 400-day retention (customizable)
Security Command Center (SCC)
Security Command Center is Google Cloud's centralized security management and risk platform. Two tiers:
- Standard: basic asset inventory and security health analytics
- Premium: threat detection, compliance reports, web security scanner, event threat detection
- Security Health Analytics: find misconfigurations (open firewall rules, public S3-equivalent buckets)
- Threat Intelligence: detect crypto mining, data exfiltration, malware
- Compliance reports: CIS, NIST, PCI DSS, ISO 27001 mapped to findings
Assured Workloads
Assured Workloads creates a compliance boundary for regulated workloads, enforcing Google Cloud to operate within specific compliance parameters (FedRAMP, HIPAA, CJIS, etc.).
Google Cloud Compliance Certifications
Google Cloud maintains certifications for major compliance frameworks including: ISO 27001, ISO 27017 (cloud security), ISO 27018 (cloud privacy), SOC 1/2/3, PCI DSS, FedRAMP, HIPAA.
Access compliance documentation via the Compliance Reports Manager. Exam tip: Organization Policy = what CAN be done (resource-level constraints). IAM = who CAN do actions. SCC = centralized security posture and threat detection. Audit Logs = record of who did what.
- ✓Organization Policy Service enforces what CAN be done at organization, folder, or project level regardless of IAM
- ✓Admin Activity audit logs are always enabled and cannot be disabled; Data Access logs must be enabled
- ✓IAM controls WHO can perform actions; Organization Policy controls WHAT actions are possible
- ✓Security Command Center provides centralized security posture management, threat detection, and compliance reporting
- ✓Assured Workloads creates compliance boundaries for regulated workloads (FedRAMP, HIPAA, CJIS)
1. A security team wants to prevent any Compute Engine VM in their organization from being assigned an external IP address, even if a project owner tries to do so. Which service should they use?
2. Which type of Google Cloud Audit Log is enabled by default and records API calls that modify configuration or resources (such as creating or deleting a VM)?
Recommended: Pluralsight
Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.