EU Data Boundary with Access Justifications
This page describes the restrictions, limitations, and other configuration options when using EU Data Boundary with Access Justifications.
Overview
EU Data Boundary with Access Justifications provides data residency and data sovereignty features for supported Google Cloud services . To provide these features, some of these services' features are restricted or limited. Most of these changes are applied during the onboarding process when creating a new folder or project in an EU Data Boundary with Access Justifications environment, however some of them can be changed later by modifying organization policies .
It's important to understand how these restrictions modify the behavior for a given Google Cloud service or affect data sovereignty or data residency . For example, some features or capabilities may be automatically disabled to verify that data sovereignty and data residency are maintained. Additionally, if an organization policy setting is changed, it might have the unintended consequence of copying data from one region to another.
Supported products and services
See the Supported products page for a list of products and services that are supported by EU Data Boundary with Access Justifications.
Organization policies
This section describes how each service is affected by the default organization policy constraint values when folders or projects are created using EU Data Boundary with Access Justifications. Other applicable constraints — even if not set by default — can provide additional "defense-in-depth" to further protect your organization's Google Cloud resources.
Cloud-wide organization policy constraints
The following organization policy constraints apply across any applicable Google Cloud service.
in:eu-locations
as the allowedValues
list item.This value restricts creation of any new resources to the EU value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the EU. See Resource locations supported services for a list of resources that can be restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable.
Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary, such as replacing the
in:eu-locations
value group with the in:europe-locations
value group, which includes non-EU
member state locations.-
compute.googleapis.com
-
container.googleapis.com
-
storage.googleapis.com
Each listed service requires Customer-managed encryption keys (CMEK) . CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.
Changing this value by removing one or more supported services from the list may undermine data sovereignty , as new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
gcp.restrictCmekCryptoKeyProjects
under:folders/my-folder-name
Limits the scope of approved folders or projects that can provide KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for supported services' at-rest data.
Determines which services can be used by restricting runtime access to their resources. For more information, see Restrict resource usage for workloads .
Compute Engine organization policy constraints
Organization Policy Constraint | Description |
---|---|
compute.enableComplianceMemoryProtection
|
Set to True
. Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs. Changing this value may affect your data residency or data sovereignty. |
compute.disableInstanceDataAccessApis
|
Set to True
. Globally disables the instances.getSerialPortOutput()
and instances.getScreenshot()
APIs. |
compute.disableGlobalCloudArmorPolicy
|
Set to True
. Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect. |
compute.restrictNonConfidentialComputing
|
(Optional) Value is not set. Set this value to provide additional
defense-in-depth. See the Confidential VM documentation
for more information. |
compute.trustedImageProjects
|
(Optional) Value is not set. Set this value to provide additional
defense-in-depth. Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents. |
Cloud Storage organization policy constraints
Organization Policy Constraint | Description |
---|---|
storage.uniformBucketLevelAccess
|
Set to True
. Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs) . This constraint provides fine-grained permissions for buckets and their contents. If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs. |
Google Kubernetes Engine organization policy constraints
Organization Policy Constraint | Description |
---|---|
container.restrictNoncompliantDiagnosticDataAccess
|
Set to True
. Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value. |
Cloud Key Management Service organization policy constraints
Organization Policy Constraint | Description |
---|---|
cloudkms.allowedProtectionLevels
|
Set to EXTERNAL
.Restricts the Cloud Key Management Service CryptoKey types that may be created, and is set to allow only external key types. |
Impacted features
This section lists how each service's features or capabilities are impacted by EU Data Boundary with Access Justifications.
BigQuery features
- In the Google Cloud console, go to the Assured Workloads page.
- Select your new Assured Workloads folder from the list.
- On the Folder Details page in the Allowed services section, click Review Available Updates .
- In the Allowed services
pane, review the services to be added to the Resource Usage Restriction
organization policy for the folder. If BigQuery services are listed, click Allow Services
to add them.
If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.
Gemini in BigQuery is not supported by Assured Workloads.
- Interaction with remote data sources
- Externally-trained BQML models are not supported. Internally-trained BQML models are supported.
- Scheduled and federated queries
- Dynamic data masking
- GDrive export
- Remote functions
- Saved queries
- Workflow scheduling
- For BigQuery Studio, notebooks are unsupported.
- The
CreateTag
,SearchCatalog
,Bulk tagging
, andBusiness Glossary
API methods of the Data Catalog API can process and store technical data in a way that is not supported. It is your responsibility to not use those methods for EU Data Boundary with Access Justifications.
- Datasets
- Jobs
- Models
- Projects
- Reservations
- Routines
- Row Access Policies
- Storage Read
- Storage Write
- Tables
- Table Data
If a table data list request is sent using one EU region but the dataset was created in another EU region, BigQuery cannot infer which region you intended and the operation will fail with a "dataset not found" error message.
gcloud --version
, and
then gcloud components update
to update to the newest version.projectname.dataset.table
in the BigQuery CLI._Default
logging buckets or
restrict your _Default
buckets to EU regions to
maintain compliance.To learn how to set the location for new
_Default
buckets or how to disable routing entries to new _Default
buckets, see Configure default settings for
organizations and folders
.Bigtable features
- The
ListHotTablets
API method of the RPC Admin API process and store technical data in a way that is not supported. It is your responsibility to not use that method for EU Data Boundary with Access Justifications. - The
hotTablets.list
API method of the Rest Admin API process and store technical data in a way that is not supported. It is your responsibility to not use that method for EU Data Boundary with Access Justifications.
These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in EU Data Boundary with Access Justifications.
Google Cloud Armor features
Feature | Description |
---|---|
Globally scoped security policies | This feature is disabled by the compute.disableGlobalCloudArmorPolicy
organization policy constraint. |
Spanner features
Feature | Description |
---|---|
Split boundaries | Spanner uses a small subset of primary keys and indexed
columns to define split
boundaries
, which may include customer data and metadata. A split
boundary in Spanner denotes the location where contiguous ranges
of rows are split into smaller pieces. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in EU Data Boundary with Access Justifications. |
Dataplex Universal Catalog features
Feature | Description |
---|---|
Aspects and glossaries metadata | Aspects and glossaries and are not supported. You can't search for or manage aspects and glossaries, nor can you import custom metadata. |
Attribute Store | This feature is deprecated and disabled. |
Data Catalog | This feature is deprecated and disabled. You cannot search through nor manage your metadata in Data Catalog. |
Data Quality and Data Profile Scan | Export of Data Quality Scan results is not supported. |
Discovery | This feature is disabled. You cannot run the Discovery scans to extract metadata from your data. |
Lakes and Zones | This feature is disabled. You cannot manage lakes, zones and tasks. |
Dataproc features
Feature | Description |
---|---|
Google Cloud console | Dataproc does not currently support the Jurisdictional Google Cloud console . To enforce data residency, ensure that you use either the Google Cloud CLI or the API when using Dataproc. |
GKE features
Feature | Description |
---|---|
Cluster resource restrictions | Ensure that your cluster configuration does not use resources for
services that are unsupported in EU Data Boundary with Access Justifications. For example, the
following configuration is invalid because it requires enabling or using
an unsupported service:set `binaryAuthorization.evaluationMode` to `enabled`
|
Cloud Logging features
To use Cloud Logging with Customer-Managed Encryption Keys (CMEK), you must complete the steps in the Enable CMEK for an organization page in the Cloud Logging documentation.
Feature | Description |
---|---|
Log sinks | Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data. |
Live tailing log entries | Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data. |
Log-based alerts | This feature is disabled. You cannot create log-based alerts in the Google Cloud console. |
Shortened URLs for Logs Explorer queries | This feature is disabled. You cannot create shortened URLs of queries in the Google Cloud console. |
Saving queries in Logs Explorer | This feature is disabled. You cannot save any queries in the Google Cloud console. |
Log Analytics using BigQuery | This feature is disabled. You cannot use the Log Analytics feature. |
SQL-based alerting policies | This feature is disabled. You cannot use the SQL-based alerting policies feature. |
Cloud Monitoring features
Feature | Description |
---|---|
Synthetic Monitor | This feature is disabled. |
Uptime check | This feature is disabled. |
Log panel widgets in Dashboards | This feature is disabled. You cannot add a log panel to a dashboard. |
Error reporting panel widgets in Dashboards | This feature is disabled. You cannot add an error reporting panel to a dashboard. |
Filter in EventAnnotation
for Dashboards
|
This feature is disabled. Filter of EventAnnotation
cannot be set in a dashboard. |
SqlCondition
in alertPolicies
|
This feature is disabled. You cannot add a SqlCondition
to an alertPolicy
. |
Cloud Run features
Compute Engine features
Feature | Description |
---|---|
Suspending and resuming a VM instance | This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices
org
policy constraint in the section above to understand the data sovereignty
and data residency implications of enabling this feature. |
Local SSDs | This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices
org
policy constraint in the section above to understand the data sovereignty
and data residency implications of enabling this feature. |
Guest environment | It is possible for scripts, daemons, and binaries that are included with
the guest environment to access unencrypted at-rest and in-use data.
Depending on your VM configuration, updates to this software may be
installed by default. See Guest environment
for specific information about
each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects
organization policy constraint.See the Building a custom image page for more information. |
OS policies in VM Manager | Inline scripts and binary output files within the OS policy files
are not encrypted using customer-managed encryption keys (CMEK).
Therefore, don't include any sensitive information in these files.
Alternatively, consider storing these
scripts and output files in Cloud Storage buckets. For more information, see Example OS policies
. If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage
organization policy constraint.For more information, see Constraints for OS Config . |
instances.getSerialPortOutput()
|
This API is disabled; you will be unable to get serial port output
from the specified instance using this API. Change the compute.disableInstanceDataAccessApis
organization
policy constraint value to False
to enable this API. You can also
enable and use the interactive serial port by following the instructions on this page.
|
instances.getScreenshot()
|
This API is disabled; you will be unable to get a screenshot from the
specified instance using this API. Change the compute.disableInstanceDataAccessApis
organization
policy constraint value to False
to enable this API. You can also
enable and use the interactive serial port by following the instructions on this page.
|