This page describes the set of controls that are applied on Sovereign Controls by T-Systems folders in Sovereign Controls by Partners. It provides detailed information about supported Google Cloud products and their API endpoints, as well as any applicable restrictions or limitations on those products.
See the T-Systems site Sovereign Controls by T-Systems for more information about this offering.
Supported products and API endpoints
Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.
If a product is not listed, that product is unsupported and has not met the control requirements for Sovereign Controls by T-Systems. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model . Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.
| Supported product | Global API endpoints | Restrictions or limitations |
|---|---|---|
| accesscontextmanager.googleapis.com |
None | |
| accessapproval.googleapis.com |
None | |
| artifactregistry.googleapis.com |
None | |
| bigquery.googleapis.com bigqueryconnection.googleapis.com bigquerydatapolicy.googleapis.com bigquerydatatransfer.googleapis.com bigqueryreservation.googleapis.com bigquerystorage.googleapis.com |
Affected features | |
| bigtable.googleapis.com bigtableadmin.googleapis.com |
Affected features | |
| privateca.googleapis.com |
None | |
| composer.googleapis.com |
None | |
| compute.googleapis.com |
Affected features and organization policy constraints | |
| gkeconnect.googleapis.com connectgateway.googleapis.com |
None | |
| dlp.googleapis.com |
None | |
| dataflow.googleapis.com datapipelines.googleapis.com |
None | |
| dataplex.googleapis.com datalineage.googleapis.com |
Affected features | |
| dataproc-control.googleapis.com dataproc.googleapis.com |
Affected features | |
| dns.googleapis.com |
None | |
| file.googleapis.com |
None | |
| anthosidentityservice.googleapis.com |
None | |
| gkehub.googleapis.com |
None | |
| compute.googleapis.com |
Affected features | |
| iam.googleapis.com |
None | |
| iap.googleapis.com |
None | |
| cloudkms.googleapis.com |
Organization policy constraints | |
| cloudkms.googleapis.com |
None | |
| cloudkms.googleapis.com |
None | |
| container.googleapis.com containersecurity.googleapis.com |
Affected features and organization policy constraints | |
| compute.googleapis.com |
Affected features | |
| logging.googleapis.com |
Affected features | |
| monitoring.googleapis.com |
Affected features | |
| redis.googleapis.com |
None | |
| networkconnectivity.googleapis.com |
None | |
| networkconnectivity.googleapis.com |
None | |
| networkconnectivity.googleapis.com |
None | |
| mesh.googleapis.com meshconfig.googleapis.com trafficdirector.googleapis.com networkservices.google.com |
None | |
| networkconnectivity.googleapis.com |
Affected features | |
| orgpolicy.googleapis.com |
None | |
| compute.googleapis.com |
None | |
| pubsub.googleapis.com |
None | |
| cloudresourcemanager.googleapis.com |
None | |
| resourcesettings.googleapis.com |
None | |
| run.googleapis.com |
Affected features | |
| secretmanager.googleapis.com |
None | |
| servicedirectory.googleapis.com |
None | |
| spanner.googleapis.com |
Affected features and organization policy constraints | |
| speech.googleapis.com |
None | |
| sqladmin.googleapis.com |
Affected features and organization policy constraints | |
| storage.googleapis.com |
Organization policy constraints | |
| compute.googleapis.com |
None | |
| accesscontextmanager.googleapis.com |
None | |
| compute.googleapis.com |
None |
Restrictions and limitations
The following sections describe cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Sovereign Controls by T-Systems folders.
Google Cloud-wide
Google Cloud-wide organization policy constraints
The following organization policy constraints apply across any applicable Google Cloud service.
Organization policy constraint
Description
Set to the following locations in the
Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
allowedValues
list: - europe-west3
Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
Set to a list of all in-scope API service names
, including:
Each listed service requires Customer-managed encryption keys (CMEK) . CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.
Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
- compute.googleapis.com
- container.googleapis.com
- pubsub.googleapis.com
- storage.googleapis.com
- sqladmin.googleapis.com
- logging.googleapis.com
- bigquery.googleapis.com
- artifactregistry.googleapis.com
- bigtable.googleapis.com
- composer.googleapis.com
- dataflow.googleapis.com
- dataproc.googleapis.com
- spanner.googleapis.com
- secretmanager.googleapis.com
- run.googleapis.com
- notebooks.googleapis.com
- integrations.googleapis.com
- documentai.googleapis.com
- cloudfunctions.googleapis.com
- aiplatform.googleapis.com
- workstations.googleapis.com
Each listed service requires Customer-managed encryption keys (CMEK) . CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.
Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
Set to deny the following TLS versions:
- TLS_1_0
- TLS_1_1
gcp.restrictCmekCryptoKeyProjects
Set to
Limits the scope of approved folders or projects that can provide Cloud KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.
under:organizations/your-organization-name
, which is your
Sovereign Controls by Partners organization. You can further restrict this value by
specifying a project or folder.Limits the scope of approved folders or projects that can provide Cloud KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.
Set to allow all supported products and API endpoints
.
Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .
Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .
Google Cloud Armor
Affected Google Cloud Armor features
| Feature | Description |
|---|---|
| Globally scoped security policies | This feature is disabled by the compute.disableGlobalCloudArmorPolicy
organization policy constraint. |
BigQuery
Affected BigQuery features
Feature
Description
Enabling BigQuery on a new folder
BigQuery is supported, but it isn't automatically enabled when you create a new
Assured Workloads folder due to an internal configuration process. This process normally
finishes in ten minutes, but can take much longer in some circumstances. To check whether the
process is finished and to enable BigQuery, complete following steps:
- In the Google Cloud console, go to the Assured Workloads page.
- Select your new Assured Workloads folder from the list.
- On the Folder Details page in the Allowed services section, click Review Available Updates .
- In the Allowed services
pane, review the services to be added to the Resource Usage Restriction
organization policy for the folder. If BigQuery services are listed, click Allow Services
to add them.
If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Gemini in BigQuery is not supported by Assured Workloads.
Unsupported features
The following BigQuery features are not supported and should not be used in the
BigQuery CLI. It is your responsibility not to use them in BigQuery for
Sovereign Controls by Partners.
- Interaction with remote data sources
- Externally-trained BQML models are not supported. Internally-trained BQML models are supported.
- Scheduled and federated queries
- Dynamic data masking
- GDrive export
- Remote functions
- Saved queries
- Workflow scheduling
- For BigQuery Studio, notebooks are unsupported.
- Gemini in BigQuery is not supported.
Unsupported integrations
The following BigQuery integrations are not supported. It is your responsibility
not to use them with BigQuery for Sovereign Controls by Partners.
- The
CreateTag,SearchCatalog,Bulk tagging, andBusiness GlossaryAPI methods of the Data Catalog API can process and store technical data in a way that is not supported. It is your responsibility not to use those methods for Sovereign Controls by Partners.
Supported BigQuery APIs
The following BigQuery APIs are supported:
Regions
BigQuery is supported for all BigQuery EU regions except the EU
multi-region. Compliance cannot be guaranteed if a dataset is created in an EU multi-region,
non-EU region, or non-EU multi-region. It is your responsibility to specify a compliant
region when creating BigQuery datasets.
If a table data list request is sent using one EU region but the dataset was created in another EU region, BigQuery cannot infer which region you intended and the operation will fail with a "dataset not found" error message.
If a table data list request is sent using one EU region but the dataset was created in another EU region, BigQuery cannot infer which region you intended and the operation will fail with a "dataset not found" error message.
The BigQuery CLI is supported.
Google Cloud SDK
You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization
guarantees for technical data. To verify your current Google Cloud SDK version, run
gcloud --version
and then gcloud components update
to update to
the newest version.Administrator controls
BigQuery will disable unsupported APIs but administrators with sufficient
permissions to create an Assured Workloads folder can enable an unsupported API. If
this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard
.
Loading data
BigQuery Data Transfer Service connectors
for Google Software as a Service (SaaS) apps, external cloud storage providers, and data
warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service
connectors for Sovereign Controls by Partners workloads.
BigQuery does not verify support for third-party transfers for the
BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party
transfer for the BigQuery Data Transfer Service.
Non-compliant BQML models
Externally-trained BQML models
are not supported.
Query jobs
Query jobs should only be created within Sovereign Controls by Partners folders.
Queries on datasets in other projects
BigQuery does not prevent Sovereign Controls by Partners datasets from
being queried from non-Sovereign Controls by Partners projects. You should ensure that
any query that has a read or a join on Sovereign Controls by Partners data be placed
in a Sovereign Controls by Partners folder. You can specify a fully-qualified table name
for their query result using
projectname.dataset.table
in the BigQuery
CLI.Cloud Logging
BigQuery utilizes Cloud Logging for some of your log data. You should disable
your
See Regionalize your logs for more information.
_default
logging buckets or restrict _default
buckets to
in-scope regions to maintain compliance using the following command:gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink
See Regionalize your logs for more information.
Bigtable
Affected Bigtable features
| Feature | Description |
|---|---|
| Split boundaries | Bigtable uses a small subset of row keys to define split boundaries, which may
include customer data and metadata. A split boundary in Bigtable denotes the
location where contiguous ranges of rows in a table are split into tablets. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners. |
Cloud KMS
Cloud KMS organization policy constraints
Organization policy constraint
Description
cloudkms.allowedProtectionLevels
Set to allow creating only Cloud KMS keys with one of the following
ProtectionLevel
types: - EXTERNAL
- EXTERNAL_VPC
Cloud Logging
Affected Cloud Logging features
| Feature | Description |
|---|---|
| Log sinks | Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data. |
| Live tailing log entries | Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data. |
| Log-based alerts | This feature is disabled. You cannot create log-based alerts in the Google Cloud console. |
| Shortened URLs for Logs Explorer queries | This feature is disabled. You cannot create shortened URLs of queries in the Google Cloud console. |
| Saving queries in Logs Explorer | This feature is disabled. You cannot save any queries in the Google Cloud console. |
| Log Analytics using BigQuery | This feature is disabled. You cannot use the Log Analytics feature. |
| SQL-based alerting policies | This feature is disabled. You cannot use the SQL-based alerting policies feature. |
Cloud Monitoring
Affected Cloud Monitoring features
| Feature | Description |
|---|---|
| Synthetic Monitor | This feature is disabled. |
| Uptime check | This feature is disabled. |
| Log panel widgets in Dashboards | This feature is disabled. You cannot add a log panel to a dashboard. |
| Error reporting panel widgets in Dashboards | This feature is disabled. You cannot add an error reporting panel to a dashboard. |
Filter in EventAnnotation
for Dashboards
|
This feature is disabled. Filter of EventAnnotation
cannot be set in a dashboard. |
SqlCondition
in alertPolicies
|
This feature is disabled. You cannot add a SqlCondition
to an alertPolicy
. |
Cloud Load Balancing
Affected Cloud Load Balancing features
Organization policy constraint
Description
Regional load balancers
You must use only regional load balancers with Sovereign Controls by T-Systems. See the following
pages for more information about configuring regional load balancers:
Cloud Storage
Cloud Storage organization policy constraints
Organization policy constraint
Description
storage.uniformBucketLevelAccess
Set to True
.
Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs) . This constraint provides fine-grained permissions for buckets and their contents.
If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.
Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs) . This constraint provides fine-grained permissions for buckets and their contents.
If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.
storage.restrictAuthTypes
Set to prevent authentication using hash-based message authentication code (HMAC). The
following two HMAC types are specified in this constraint value:
Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.
-
USER_ACCOUNT_HMAC_SIGNED_REQUESTS -
SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS
Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.
Cloud Interconnect
Affected Cloud Interconnect features
| Feature | Description |
|---|---|
| High-availability (HA) VPN | You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Cloud VPN section . |
Compute Engine
Affected Compute Engine features
| Feature | Description |
|---|---|
| Suspending and resuming a VM instance | This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices
organization policy
constraint in the section above to understand the data sovereignty and data residency
implications of enabling this feature. |
| Local SSDs | This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices
organization policy
constraint in the section above to understand the data sovereignty and data residency
implications of enabling this feature. |
| Viewing serial port output | This feature is disabled; you will be unable to view the output either programmatically or
via Cloud Logging. Change the compute.disableSerialPortLogging
organization policy constraint
value to False
to enable serial port output. |
| Guest environment | It is possible for scripts, daemons, and binaries that are included with the guest
environment to access unencrypted at-rest and in-use data. Depending on your VM
configuration, updates to this software may be installed by default. See Guest environment
for specific
information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, for customers who want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects
organization policy constraint.See the Building a custom image page for more information. |
instances.getSerialPortOutput()
|
This API is disabled; you will be unable to get serial port output from the specified
instance using this API. Change the compute.disableInstanceDataAccessApis
organization policy constraint
value to False
to enable this API. You can also enable and use the interactive serial
port by following the instructions in Enabling access for a project
.If you need to manage a username and password on a Windows VM, follow the steps in the compute.disableInstanceDataAccessApis
description. |
instances.getScreenshot()
|
This API is disabled; you will be unable to get a screenshot from the specified instance
using this API. Change the compute.disableInstanceDataAccessApis
organization policy constraint
value to False
to enable this API. You can also enable and use the interactive serial
port by following the instructions in Enabling access for a project
.If you need to manage a username and password on a Windows VM, follow the steps in the compute.disableInstanceDataAccessApis
description. |
Compute Engine organization policy constraints
Organization policy constraint
Description
compute.enableComplianceMemoryProtection
Set to True
.
Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.
Changing this value may affect your data residency or data sovereignty.
Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.
Changing this value may affect your data residency or data sovereignty.
Set to True
.
Globally disables the
Enabling this constraint prevents you from generating credentials on Windows Server VMs .
If you need to manage a username and password on a Windows VM, do the following:
Globally disables the
instances.getSerialPortOutput()
and instances.getScreenshot()
APIs.Enabling this constraint prevents you from generating credentials on Windows Server VMs .
If you need to manage a username and password on a Windows VM, do the following:
- Enable SSH for Windows VMs .
- Run the following command to change the VM's password:
gcloud compute ssh VM_NAME --command "net user USERNAME PASSWORD "
- VM_NAME : The name of the VM you're setting the password for.
- USERNAME : The username of the user who you're setting the password for.
- PASSWORD : The new password.
compute.disableGlobalCloudArmorPolicy
Set to True
.
Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.
Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.
compute.disableSshInBrowser
Set to True
.
Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs.
Changing this value may affect your data residency or data sovereignty.
Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs.
Changing this value may affect your data residency or data sovereignty.
compute.restrictNonConfidentialComputing
(Optional) Value is not set. Set this value to provide additional defense-in-depth. See
the Confidential VM documentation
for more information.
compute.trustedImageProjects
(Optional) Value is not set. Set this value to provide additional defense-in-depth.
Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.
Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.
Dataplex Universal Catalog
Affected Dataplex Universal Catalog features
| Feature | Description |
|---|---|
| Aspects and glossaries metadata | Aspects and glossaries and are not supported. You can't search for or manage aspects and glossaries, nor can you import custom metadata. |
| Attribute Store | This feature is deprecated and disabled. |
| Data Catalog | This feature is deprecated and disabled. You cannot search through nor manage your metadata in Data Catalog. |
| Data quality and data profile scanning | Export of data quality scan results is not supported. |
| Discovery | This feature is disabled. You cannot run the Discovery scans to extract metadata from your data. |
| Lakes and zones | This feature is disabled. You cannot manage lakes, zones, and tasks. |
Dataproc
Affected Dataproc features
| Feature | Description |
|---|---|
| Google Cloud console | Dataproc does not currently support the Jurisdictional Google Cloud console . To enforce data residency, ensure that you use either the Google Cloud CLI or the API when using Dataproc. |
Google Kubernetes Engine
Affected Google Kubernetes Engine features
| Feature | Description |
|---|---|
| Backup for GKE | Backup for GKE is not supported. It is your responsibility not to use Backup for GKE in Sovereign Controls by T-Systems. |
Google Kubernetes Engine organization policy constraints
| Organization policy constraint | Description |
|---|---|
container.restrictNoncompliantDiagnosticDataAccess
|
Set to True
. Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value. |
Cloud Run
Affected Cloud Run features
Feature
Description
Unsupported features
The following Cloud Run features aren't supported:
Spanner
Affected Spanner features
| Feature | Description |
|---|---|
| Split boundaries | Spanner uses a small subset of primary keys and indexed columns to define split boundaries
, which
may include customer data and metadata. A split boundary in Spanner denotes the
location where contiguous ranges of rows are split into smaller pieces. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners. |
Spanner organization policy constraints
| Organization policy constraint | Description |
|---|---|
spanner.assuredWorkloadsAdvancedServiceControls
|
Set to True
. Applies additional data sovereignty and supportability controls to Spanner resources. |
spanner.disableMultiRegionInstanceIfNoLocationSelected
|
Set to True
. Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty. |
Cloud SQL
Affected Cloud SQL features
| Feature | Description |
|---|---|
| Query insights | When deploying a Cloud SQL instance, Query insights can only be used if application tags are not enabled. If application tags are enabled, you will receive an error message when attempting to use Query insights. |
Cloud SQL organization policy constraints
| Organization policy constraint | Description |
|---|---|
sql.restrictNoncompliantDiagnosticDataAccess
|
Set to True
. Applies additional data sovereignty and supportability controls to Cloud SQL resources. |
sql.restrictNoncompliantResourceCreation
|
Set to True
. Applies additional data sovereignty controls to prevent creation of non-compliant Cloud SQL resources. |
