Cyber Intelligence
Security, Operations, and Governance · Trust and security

L17. Compliance and Governance: Resource Manager Policies and Audit Logs

Video generating

Check back soon for the video lesson on Compliance and Governance: Resource Manager Policies and Audit Logs

Google Cloud provides governance tools to enforce organizational standards and prove compliance. The Digital Leader exam tests Organization Policy Service, Audit Logs, Security Command Center, and compliance certifications.

Organization Policy Service

Organization Policy Service lets you set centralized, programmatic constraints on Google Cloud resources across your entire organization. Key concept: An Organization Policy is a constraint applied at the Organization, Folder, or Project level that restricts what actions can be performed, regardless of IAM permissions. Examples of built-in constraints:

  • compute.vmExternalIpAccess: restrict VMs from having external IP addresses
  • compute.requireShieldedVm: require all VMs to use Shielded VM security features
  • storage.uniformBucketLevelAccess: enforce uniform bucket-level access on all Cloud Storage buckets
  • iam.allowedPolicyMemberDomains: restrict which domains can be added to IAM policies
Inheritance: policies applied at a higher level cascade to all child resources. Difference from IAM: IAM controls WHO can do actions. Organization Policy controls WHAT can be done (the possible actions themselves).

Cloud Audit Logs

Cloud Audit Logs record who did what, when, and from where across Google Cloud services. Four types of audit logs:

Log TypeWhat It CapturesEnabled By Default
Admin ActivityAdmin API calls that modify resourcesYes
Data AccessAPI calls that read resource dataNo (must enable)
System EventAutomated changes by Google systemsYes
Policy DeniedRequests denied by IAM or Organization PolicyYes
Key facts:
  • Admin Activity logs are always on and cannot be disabled
  • Data Access logs may generate high volume; enable selectively
  • Logs are stored in Cloud Logging with a default 400-day retention (customizable)

Security Command Center (SCC)

Security Command Center is Google Cloud's centralized security management and risk platform. Two tiers:

  • Standard: basic asset inventory and security health analytics
  • Premium: threat detection, compliance reports, web security scanner, event threat detection
Key capabilities:
  • Security Health Analytics: find misconfigurations (open firewall rules, public S3-equivalent buckets)
  • Threat Intelligence: detect crypto mining, data exfiltration, malware
  • Compliance reports: CIS, NIST, PCI DSS, ISO 27001 mapped to findings

Assured Workloads

Assured Workloads creates a compliance boundary for regulated workloads, enforcing Google Cloud to operate within specific compliance parameters (FedRAMP, HIPAA, CJIS, etc.).

Google Cloud Compliance Certifications

Google Cloud maintains certifications for major compliance frameworks including: ISO 27001, ISO 27017 (cloud security), ISO 27018 (cloud privacy), SOC 1/2/3, PCI DSS, FedRAMP, HIPAA.

Access compliance documentation via the Compliance Reports Manager. Exam tip: Organization Policy = what CAN be done (resource-level constraints). IAM = who CAN do actions. SCC = centralized security posture and threat detection. Audit Logs = record of who did what.

Exam Focus Points
  • Organization Policy Service enforces what CAN be done at organization, folder, or project level regardless of IAM
  • Admin Activity audit logs are always enabled and cannot be disabled; Data Access logs must be enabled
  • IAM controls WHO can perform actions; Organization Policy controls WHAT actions are possible
  • Security Command Center provides centralized security posture management, threat detection, and compliance reporting
  • Assured Workloads creates compliance boundaries for regulated workloads (FedRAMP, HIPAA, CJIS)
Knowledge Check

1. A security team wants to prevent any Compute Engine VM in their organization from being assigned an external IP address, even if a project owner tries to do so. Which service should they use?

2. Which type of Google Cloud Audit Log is enabled by default and records API calls that modify configuration or resources (such as creating or deleting a VM)?

Recommended: Pluralsight

Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.

Start Digital Leader prep free10-day free trial available