Data protection guidelines

The storage.uniformBucketLevelAccess boolean constraint requires buckets to use uniform bucket-level access. Uniform bucket-level access lets you only use bucket-level Identity and Access Management (IAM) permissions to grant access to your Cloud Storage resources.

Using two different and conflicting systems to manage permissions on storage buckets is complex and a common cause of accidental data leaks. This setting turns off the legacy system (access control lists, or ACLs) and makes the modern, centralized system (IAM) the single source of truth for all permissions.

Prevent Cloud SQL from having a public IP address and being directly exposed to the internet by setting the constraints/sql.restrictPublicIp organization policy constraint. Typically, databases aren't directly exposed to the internet.

Preventing public IP addresses helps prevent your databases from getting public IP addresses, ensuring that they are private and only accessible from trusted, internal applications.

The storage.publicAccessPrevention boolean constraint prevents storage buckets from being accessed from public sources without authentication. It disables and blocks access control lists (ACLs) and Identity and Access Management (IAM) permissions that grant access to allUsers and allAuthenticatedUsers . This constraint acts as an organization-wide safety net that actively blocks any setting that would make a bucket publicly accessible.

Ensure that BigQuery doesn't have datasets that are open to public access unless the datasets are intended to be public. Datasets in BigQuery often contain sensitive data.

Reviewing dataset access helps you ensure that you don't accidentally or unintentionally expose data to the internet.

Create an encryption management strategy using Cloud Key Management Service (Cloud KMS) with Autokey, Cloud External Key Manager (Cloud EKM), or both. This strategy lets your organization use and manage its own encryption keys to meet your specific requirements. Using your own encryption keys provides granular, auditable control over data access, including the ability to immediately block access to data by disabling the key.