What is the difference between IAM and Organization Policies?

IAM controls who can perform actions (authentication and authorization at the principal level). Organization Policies control what actions can be performed regardless of who has permission (resource configuration constraints). For example, IAM grants a user permission to create VMs, while Organization Policy can restrict which machine types or regions are allowed. They work together - IAM checks permissions first, then Organization Policy validates the configuration.

Can I override organization-level policies at the project level?

By default, child resources (folders/projects) inherit policies from parent resources. However, you can configure policies to allow overrides using the inheritFromParent setting. When set to false, child policies replace parent policies. Best practice is to enforce critical security policies at the org level without allowing overrides for sensitive constraints.

How do I test organization policies before enforcing them?

Use dry-run mode to evaluate policy impact without blocking operations. Create the policy with the --dry-run flag, then check Cloud Audit Logs for entries showing what would have been blocked. You can also use the Policy Troubleshooter in the console to test specific scenarios against your policies before enforcement.

GCP Organization Policy Service Guide

Organization Policies provide centralized, programmatic control over your GCP resource configurations. They act as guardrails that enforce security and compliance requirements across all projects and folders in your organization, regardless of individual IAM permissions.

This guide covers implementing common security constraints, understanding policy inheritance, creating custom policies, and monitoring compliance. For comprehensive cloud security practices, see our 30 Cloud Security Tips for 2026 guide.

Prerequisites

Organization Policy Administrator role for policy management
Organization-level access (organization resource required)
gcloud CLI installed and configured

Verify Organization Access

# List your organizations
gcloud organizations list

# Set your organization ID
export ORG_ID=123456789012

# Verify your roles
gcloud organizations get-iam-policy $ORG_ID \
    --flatten="bindings[].members" \
    --filter="bindings.members:$(gcloud config get-value account)" \
    --format="table(bindings.role)"

Step 1: Understand Policy Hierarchy and Inheritance

Organization Policies follow the resource hierarchy:

Organization (most restrictive)
    └── Folders
        └── Projects
            └── Resources (most permissive overrides)

Key inheritance concepts:

Inherit from parent: Child resources inherit policies unless overridden
Merge: List constraints can merge allowed/denied values from multiple levels
Replace: Child policies can completely replace parent policies (if allowed)
Restore default: Reset to Google's default behavior

Step 2: Implement Essential Security Policies

Restrict Resource Locations

Limit where resources can be created for data residency compliance:

# Allow only US and EU regions
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/gcp.resourceLocations
spec:
  rules:
  - values:
      allowedValues:
      - in:us-locations
      - in:eu-locations
EOF

# More restrictive - specific regions only
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/gcp.resourceLocations
spec:
  rules:
  - values:
      allowedValues:
      - us-central1
      - us-east1
      - europe-west1
EOF

Disable Public IP Addresses on VMs

# Prevent VMs from having external IPs
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.vmExternalIpAccess
spec:
  rules:
  - allowAll: false
EOF

# Allow specific projects to have external IPs
gcloud org-policies set-policy /dev/stdin --project=PROJECT_ID << EOF
name: projects/PROJECT_ID/policies/compute.vmExternalIpAccess
spec:
  inheritFromParent: false
  rules:
  - values:
      allowedValues:
      - projects/PROJECT_ID/zones/us-central1-a/instances/bastion
EOF

Enforce Uniform Bucket-Level Access

# Require IAM-only access for Cloud Storage
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/storage.uniformBucketLevelAccess
spec:
  rules:
  - enforce: true
EOF

Restrict Service Account Key Creation

# Disable service account key creation
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/iam.disableServiceAccountKeyCreation
spec:
  rules:
  - enforce: true
EOF

# Allow key creation for specific projects
gcloud org-policies set-policy /dev/stdin --project=legacy-app-project << EOF
name: projects/legacy-app-project/policies/iam.disableServiceAccountKeyCreation
spec:
  inheritFromParent: false
  rules:
  - enforce: false
EOF

Require Shielded VMs

# Require shielded VMs for all new instances
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.requireShieldedVm
spec:
  rules:
  - enforce: true
EOF

Step 3: Configure Network Security Policies

Restrict VPC Peering

# Limit which networks can peer
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.restrictVpcPeering
spec:
  rules:
  - values:
      allowedValues:
      - under:organizations/$ORG_ID
EOF

Disable Default Network Creation

# Skip creating default VPC in new projects
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.skipDefaultNetworkCreation
spec:
  rules:
  - enforce: true
EOF

Restrict Shared VPC Host Projects

# Limit which projects can be Shared VPC hosts
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.restrictSharedVpcHostProjects
spec:
  rules:
  - values:
      allowedValues:
      - projects/shared-vpc-host-prod
      - projects/shared-vpc-host-nonprod
EOF

Step 4: Implement Data Protection Policies

Require CMEK for Cloud SQL

# Require customer-managed encryption keys for databases
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/sql.restrictAuthorizedNetworks
spec:
  rules:
  - allowAll: false
EOF

# Require CMEK for BigQuery
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/bigquery.disableBQOmniAzure
spec:
  rules:
  - enforce: true
EOF

Disable Public Bucket Access

# Prevent public Cloud Storage buckets
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/storage.publicAccessPrevention
spec:
  rules:
  - enforce: true
EOF

Step 5: Create Custom Organization Policies

Custom policies allow you to enforce specific resource configurations:

Create Custom Constraint

# Create a custom constraint for VM machine types
gcloud org-policies set-custom-constraint /dev/stdin << EOF
name: organizations/$ORG_ID/customConstraints/custom.restrictMachineTypes
resourceTypes:
- compute.googleapis.com/Instance
methodTypes:
- CREATE
- UPDATE
condition: "resource.machineType.matches('.*/(e2|n2|n2d|c2)-.*')"
actionType: ALLOW
displayName: Restrict to cost-efficient machine types
description: Only allow E2, N2, N2D, and C2 machine type families
EOF

# Apply the custom constraint
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/custom.restrictMachineTypes
spec:
  rules:
  - enforce: true
EOF

Custom Constraint for Disk Encryption

# Require encryption key on persistent disks
gcloud org-policies set-custom-constraint /dev/stdin << EOF
name: organizations/$ORG_ID/customConstraints/custom.requireDiskEncryption
resourceTypes:
- compute.googleapis.com/Disk
methodTypes:
- CREATE
condition: "resource.diskEncryptionKey.kmsKeyName != ''"
actionType: ALLOW
displayName: Require CMEK for persistent disks
description: All persistent disks must use customer-managed encryption keys
EOF

Custom Constraint for Labels

# Require specific labels on resources
gcloud org-policies set-custom-constraint /dev/stdin << EOF
name: organizations/$ORG_ID/customConstraints/custom.requireCostCenterLabel
resourceTypes:
- compute.googleapis.com/Instance
- storage.googleapis.com/Bucket
methodTypes:
- CREATE
condition: "'cost-center' in resource.labels"
actionType: ALLOW
displayName: Require cost-center label
description: All resources must have a cost-center label for billing allocation
EOF

Step 6: Monitor and Audit Policy Compliance

View Policy Violations in Audit Logs

# View policy violations
gcloud logging read 'protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.status.code=7' \
    --organization=$ORG_ID \
    --limit=50 \
    --format="table(timestamp,protoPayload.authenticationInfo.principalEmail,protoPayload.methodName,protoPayload.status.message)"

List All Organization Policies

# List policies at organization level
gcloud org-policies list --organization=$ORG_ID

# Get specific policy details
gcloud org-policies describe compute.vmExternalIpAccess --organization=$ORG_ID

# List effective policy at project level (shows inheritance)
gcloud org-policies describe compute.vmExternalIpAccess \
    --project=PROJECT_ID \
    --effective

Use Policy Troubleshooter

- Go to [IAM & Admin > Policy Troubleshooter](https://console.cloud.google.com/iam-admin/troubleshooter) - Select **Organization Policy** - Enter the resource and action to test - Review which policies would allow or deny the operation

Step 7: Configure Policy Exceptions

Create Conditional Policies

# Allow external IPs only for tagged instances
gcloud org-policies set-policy /dev/stdin --organization=$ORG_ID << EOF
name: organizations/$ORG_ID/policies/compute.vmExternalIpAccess
spec:
  rules:
  - condition:
      expression: "resource.matchLabels('external-ip', 'allowed')"
    values:
      allowedValues:
      - all
  - allowAll: false
EOF

Override at Folder Level

# Get folder ID
gcloud resource-manager folders list --organization=$ORG_ID

# Set more permissive policy for development folder
gcloud org-policies set-policy /dev/stdin --folder=FOLDER_ID << EOF
name: folders/FOLDER_ID/policies/compute.vmExternalIpAccess
spec:
  inheritFromParent: false
  rules:
  - allowAll: true
EOF

Common Security Policies Reference

Policy Constraint	Purpose	Recommended Setting
compute.vmExternalIpAccess	Control public IPs	Deny all, allow specific
storage.uniformBucketLevelAccess	Enforce IAM-only	Enforce: true
iam.disableServiceAccountKeyCreation	Prevent key leaks	Enforce: true
compute.requireShieldedVm	Secure boot	Enforce: true
compute.skipDefaultNetworkCreation	Controlled networking	Enforce: true
storage.publicAccessPrevention	Prevent data exposure	Enforce: true
gcp.resourceLocations	Data residency	Allow specific regions
iam.allowedPolicyMemberDomains	Limit external sharing	Allow org domain only

Best Practices

Start with audit mode - Use dry-run to understand impact before enforcing
Apply at organization level - Ensure consistent security across all projects
Document exceptions - Track and review any policy overrides regularly
Use folders for inheritance - Group projects with similar requirements
Monitor violations - Set up alerts for policy denial events
Review policies quarterly - Update as security requirements evolve
Test before production - Validate policies in non-production first
Combine with IAM - Use policies and IAM together for defense in depth

30 Cloud Security Tips for 2026 - Comprehensive cloud security guide
How to Enable Cloud Audit Logs in GCP - Monitor policy violations
GCP Super Admin Best Practices - Organization-level security
Organization Policy Documentation
Available Policy Constraints

Need help implementing organization-wide security policies? Contact InventiveHQ for expert guidance on GCP governance and compliance.

GCP Organization Policy Service Guide

Prerequisites

Verify Organization Access

Step 1: Understand Policy Hierarchy and Inheritance

Step 2: Implement Essential Security Policies

Restrict Resource Locations

Disable Public IP Addresses on VMs

Enforce Uniform Bucket-Level Access

Restrict Service Account Key Creation

Require Shielded VMs

Step 3: Configure Network Security Policies

Restrict VPC Peering

Disable Default Network Creation

Restrict Shared VPC Host Projects

Step 4: Implement Data Protection Policies

Require CMEK for Cloud SQL

Disable Public Bucket Access

Step 5: Create Custom Organization Policies

Create Custom Constraint

Custom Constraint for Disk Encryption

Custom Constraint for Labels

Step 6: Monitor and Audit Policy Compliance

View Policy Violations in Audit Logs

List All Organization Policies

Use Policy Troubleshooter

Step 7: Configure Policy Exceptions

Create Conditional Policies

Override at Folder Level

Common Security Policies Reference

Best Practices

Frequently Asked Questions

Expert GCP Management

How to Enable Cloud Audit Logs in GCP

GCP Cloud Armor Setup Guide: WAF, Rate Limiting, and DDoS Protection

GCP Data Loss Prevention (DLP) API Guide

GCP Organization Policy Service Guide

Prerequisites

Verify Organization Access

Step 1: Understand Policy Hierarchy and Inheritance

Step 2: Implement Essential Security Policies

Restrict Resource Locations

Disable Public IP Addresses on VMs

Enforce Uniform Bucket-Level Access

Restrict Service Account Key Creation

Require Shielded VMs

Step 3: Configure Network Security Policies

Restrict VPC Peering

Disable Default Network Creation

Restrict Shared VPC Host Projects

Step 4: Implement Data Protection Policies

Require CMEK for Cloud SQL

Disable Public Bucket Access

Step 5: Create Custom Organization Policies

Create Custom Constraint

Custom Constraint for Disk Encryption

Custom Constraint for Labels

Step 6: Monitor and Audit Policy Compliance

View Policy Violations in Audit Logs

List All Organization Policies

Use Policy Troubleshooter

Step 7: Configure Policy Exceptions

Create Conditional Policies

Override at Folder Level

Common Security Policies Reference

Best Practices

Related Resources

Frequently Asked Questions

Expert GCP Management

Related Articles

How to Enable Cloud Audit Logs in GCP

GCP Cloud Armor Setup Guide: WAF, Rate Limiting, and DDoS Protection

GCP Data Loss Prevention (DLP) API Guide