Console
    Start free

    Italy Data Boundary by PSN

    This page describes the set of controls that are applied on Italy Data Boundary by PSN folders in Sovereign Controls by Partners. It provides detailed information about supported Google Cloud products and their API endpoints, as well as any applicable restrictions or limitations on those products.

    See the PSN site Italy Data Boundary by PSN for more information about this offering.

    Supported products and API endpoints

    Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.

    If a product is not listed, that product is unsupported and has not met the control requirements for Italy Data Boundary by PSN. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model . Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

    Supported product API endpoints Restrictions or limitations
    Access Context Manager
    		accesscontextmanager.googleapis.com
    		None
    Access Transparency
    		accessapproval.googleapis.com
    		None
    Artifact Registry
    		artifactregistry.googleapis.com
    		None
    BigQuery
    		bigquery.googleapis.com
    bigqueryconnection.googleapis.com
    bigquerydatapolicy.googleapis.com
    bigquerydatatransfer.googleapis.com
    bigqueryreservation.googleapis.com
    bigquerystorage.googleapis.com
    		Affected features
    Bigtable
    		bigtable.googleapis.com
    bigtableadmin.googleapis.com
    		Affected features
    Certificate Authority Service
    		privateca.googleapis.com
    		None
    Cloud Composer
    		composer.googleapis.com
    		None
    Compute Engine
    		compute.googleapis.com
    		Affected features and organization policy constraints
    Connect
    		gkeconnect.googleapis.com
    connectgateway.googleapis.com
    		None
    Sensitive Data Protection
    		dlp.googleapis.com
    		None
    Dataflow
    		dataflow.googleapis.com
    datapipelines.googleapis.com
    		None
    Dataplex Universal Catalog
    		dataplex.googleapis.com
    datalineage.googleapis.com
    		Affected features
    Dataproc
    		dataproc-control.googleapis.com
    dataproc.googleapis.com
    		Affected features
    Cloud DNS
    		dns.googleapis.com
    		None
    Filestore
    		file.googleapis.com
    		None
    GKE Identity Service
    		anthosidentityservice.googleapis.com
    		None
    GKE Hub
    		gkehub.googleapis.com
    		None
    Google Cloud Armor
    		compute.googleapis.com
    		Affected features
    Identity and Access Management (IAM)
    		iam.googleapis.com
    		None
    Identity-Aware Proxy
    		iap.googleapis.com
    		None
    Cloud Key Management Service (Cloud KMS)
    		cloudkms.googleapis.com
    		Organization policy constraints
    Cloud HSM
    		cloudkms.googleapis.com
    		None
    Cloud External Key Manager (Cloud EKM)
    		cloudkms.googleapis.com
    		None
    Google Kubernetes Engine
    		container.googleapis.com
    containersecurity.googleapis.com
    		Affected features and organization policy constraints
    Cloud Load Balancing
    		compute.googleapis.com
    		Affected features
    Cloud Logging
    		logging.googleapis.com
    		Affected features
    Cloud Monitoring
    		monitoring.googleapis.com
    		Affected features
    Memorystore for Redis
    		redis.googleapis.com
    		None
    Network Connectivity Center
    		networkconnectivity.googleapis.com
    		None
    Cloud NAT
    		networkconnectivity.googleapis.com
    		None
    Cloud Router
    		networkconnectivity.googleapis.com
    		None
    Cloud Interconnect
    		networkconnectivity.googleapis.com
    		Affected features
    Organization Policy Service
    		orgpolicy.googleapis.com
    		None
    Persistent Disk
    		compute.googleapis.com
    		None
    Pub/Sub
    		pubsub.googleapis.com
    		None
    Resource Manager
    		cloudresourcemanager.googleapis.com
    		None
    Cloud Run
    		run.googleapis.com
    		Affected features
    Cloud Service Mesh
    		mesh.googleapis.com
    meshconfig.googleapis.com
    trafficdirector.googleapis.com
    networkservices.google.com
    		None
    Secret Manager
    		secretmanager.googleapis.com
    		None
    Service Directory
    		servicedirectory.googleapis.com
    		None
    Spanner
    		spanner.googleapis.com
    		Affected features and organization policy constraints
    Speech-to-Text
    		speech.googleapis.com
    		None
    Cloud SQL
    		sqladmin.googleapis.com
    		Affected features and organization policy constraints
    Cloud Storage
    		storage.googleapis.com
    		Organization policy constraints
    Virtual Private Cloud (VPC)
    		compute.googleapis.com
    		None
    VPC Service Controls
    		accesscontextmanager.googleapis.com
    		None
    Cloud VPN
    		compute.googleapis.com
    		None
    Backup for GKE
    		gkebackup.googleapis.com
    		None
    Cloud Build
    		cloudbuild.googleapis.com
    		Affected features
    Cloud Workstations
    		workstations.googleapis.com
    		None
    Firebase Security Rules
    		firebaserules.googleapis.com
    		None
    Firestore
    		firestore.googleapis.com
    		None
    Secure Source Manager
    		securesourcemanager.googleapis.com
    		None

    Restrictions and limitations

    The following sections describe cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Italy Data Boundary by PSN folders.

    Google Cloud-wide

    Google Cloud-wide organization policy constraints

    The following organization policy constraints apply across Google Cloud.

    Organization policy constraint
    Description
    gcp.resourceLocations
    Set to the following locations in the allowedValues list:
    • europe-west8
    • europe-west12
    This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can be restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and cannot be restricted.

    Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
    gcp.restrictCmekCryptoKeyProjects
    Set to under:organizations/your-organization-name , which is your Sovereign Controls by Partners organization. You can further restrict this value by specifying a project or folder.

    Limits the scope of approved folders or projects that can provide Cloud KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.
    gcp.restrictNonCmekServices
    Set to a list of all in-scope API service names , including:
    • aiplatform.googleapis.com
    • artifactregistry.googleapis.com
    • bigquery.googleapis.com
    • bigquerydatatransfer.googleapis.com
    • bigtable.googleapis.com
    • cloudfunctions.googleapis.com
    • composer.googleapis.com
    • compute.googleapis.com
    • container.googleapis.com
    • dataflow.googleapis.com
    • dataproc.googleapis.com
    • documentai.googleapis.com
    • integrations.googleapis.com
    • logging.googleapis.com
    • notebooks.googleapis.com
    • pubsub.googleapis.com
    • run.googleapis.com
    • secretmanager.googleapis.com
    • spanner.googleapis.com
    • sqladmin.googleapis.com
    • storage.googleapis.com
    • workstations.googleapis.com
    Some features may be affected for each of the services listed above.

    Each listed service requires Customer-managed encryption keys (CMEK) . CMEK encrypts at-rest data with a key managed by you, not Google's default encryption mechanisms.

    Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
    gcp.restrictServiceUsage
    Set to allow all supported products and API endpoints .

    Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .
    gcp.restrictTLSVersion
    Set to deny the following TLS versions:
    • TLS_1_0
    • TLS_1_1
    For more information, see Restrict TLS versions .

    BigQuery

    Affected BigQuery features

    Feature
    Description
    Enabling BigQuery on a new folder
    BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete the following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates .
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

    Unsupported features
    The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Sovereign Controls by Partners.
    Unsupported integrations
    The following BigQuery integrations are not supported. It's your responsibility not to use them with BigQuery for Sovereign Controls by Partners.
    • The CreateTag , SearchCatalog , Bulk tagging , and Business Glossary API methods of the Data Catalog API process and store technical data in a way that is not supported. It's your responsibility not to use those methods for Sovereign Controls by Partners.
    Supported BigQuery APIs
    The following BigQuery APIs are supported:
    Regions
    BigQuery is supported for all BigQuery EU regions except the EU multi-region. Compliance cannot be guaranteed if a dataset is created in an EU multi-region, non-EU region, or non-EU multi-region. It is your responsibility to specify a compliant region when creating BigQuery datasets.

    If a table data list request is sent using one EU region but the dataset was created in another EU region, BigQuery cannot infer which region you intended and the operation will fail with a "dataset not found" error message.
    BigQuery CLI
    The BigQuery CLI is supported.

    Google Cloud SDK
    You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
    Administrator controls
    BigQuery will disable unsupported APIs but administrators with sufficient permissions to create Sovereign Controls by Partners folders can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard .
    Loading data
    BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Italy Data Boundary by PSN workloads.
    Third-party transfers
    BigQuery doesn't verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
    Non-compliant BQML models
    Externally-trained BQML models are not supported.
    Query jobs
    Query jobs should only be created within Sovereign Controls by Partners folders.
    Queries on datasets in other projects
    BigQuery doesn't prevent Sovereign Controls by Partners datasets from being queried from non-Sovereign Controls by Partners projects. You should ensure that any query that has a read or a join on Sovereign Controls by Partners data be placed in Sovereign Controls by Partners folders. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
    Cloud Logging
    BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

    gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

    For more information, see Regionalize your logs .

    Bigtable

    Affected Bigtable features

    Feature Description
    Data Boost This feature is disabled.
    Split boundaries Bigtable uses a small subset of row keys to define split boundaries, which may include customer data and metadata. A split boundary in Bigtable denotes the location where contiguous ranges of rows in a table are split into tablets.

    These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners.

    Cloud Build

    Affected Cloud Build features

    Feature Description
    Generating build provenance This feature is unsupported and should not be used with Italy Data Boundary by PSN. Builds configured with options.requestedVerifyOption: VERIFIED may fail due to unsupported dependencies. To prevent build failures, remove this option from your Cloud Build configuration.

    Cloud Interconnect

    Affected Cloud Interconnect features

    Feature Description
    High-availability (HA) VPN You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Affected Cloud VPN features section.

    Cloud KMS

    Cloud KMS organization policy constraints

    Organization policy constraint
    Description
    cloudkms.allowedProtectionLevels
    Set to allow creation of Cloud Key Management Service CryptoKeys with the following protection levels:
    • EXTERNAL
    • EXTERNAL_VPC
    See Protection levels for more information.

    Cloud Load Balancing

    Affected Cloud Load Balancing features

    Feature
    Description
    Google Cloud console
    Cloud Load Balancing features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.
    Regional load balancers
    You must use only regional load balancers with Italy Data Boundary by PSN. For more information about configuring regional load balancers, see the following pages:

    Cloud Logging

    Affected Cloud Logging features

    Feature Description
    Log sinks Filters shouldn't contain Customer Data.

    Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
    Live tailing log entries Filters shouldn't contain Customer Data.

    A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.
    Log-based alerts This feature is disabled.

    You cannot create log-based alerts in the Google Cloud console.
    Shortened URLs for Logs Explorer queries This feature is disabled.

    You cannot create shortened URLs of queries in the Google Cloud console.
    Saving queries in Logs Explorer This feature is disabled.

    You cannot save any queries in the Google Cloud console.
    Log Analytics using BigQuery This feature is disabled.

    You cannot use the Log Analytics feature.
    SQL-based alerting policies This feature is disabled.

    You cannot use the SQL-based alerting policies feature.

    Cloud Monitoring

    Affected Cloud Monitoring features

    Feature Description
    Synthetic Monitor This feature is disabled.
    Uptime checks This feature is disabled.
    Log panel widgets in Dashboards This feature is disabled.

    You cannot add a log panel to a dashboard.
    Error reporting panel widgets in Dashboards This feature is disabled.

    You cannot add an error reporting panel to a dashboard.
    Filter in EventAnnotation for Dashboards This feature is disabled.

    Filter of EventAnnotation cannot be set in a dashboard.
    SqlCondition in alertPolicies This feature is disabled.

    You cannot add a SqlCondition to an alertPolicy .

    Cloud Run

    Affected Cloud Run features

    Feature
    Description
    Unsupported features
    The following Cloud Run features aren't supported:

    Cloud SQL

    Affected Cloud SQL features

    Feature Description
    Query insights When deploying a Cloud SQL instance, Query insights can only be used if application tags are not enabled. If application tags are enabled, you will receive an error message when attempting to use Query insights.

    Cloud SQL organization policy constraints

    Organization policy constraint Description
    sql.restrictNoncompliantDiagnosticDataAccess Set to True .

    Applies additional data sovereignty and supportability controls to Cloud SQL resources.

    Changing this value might affect your workload's data residency or data sovereignty.
    sql.restrictNoncompliantResourceCreation Set to True .

    Applies additional data sovereignty controls to prevent creation of non-compliant Cloud SQL resources.

    Changing this value might affect your workload's data residency or data sovereignty.

    Cloud Storage

    Cloud Storage organization policy constraints

    Organization policy constraint
    Description
    storage.restrictAuthTypes

    Set to prevent authentication using hash-based message authentication code (HMAC). The following types are specified in this constraint value:

    • USER_ACCOUNT_HMAC_SIGNED_REQUESTS
    • SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS
    By default, HMAC keys are prevented from authenticating to Cloud Storage resources for Italy Data Boundary by PSN workloads. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See HMAC keys in the Cloud Storage docs.

    Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.
    storage.uniformBucketLevelAccess
    Set to True .

    Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs) . This constraint provides fine-grained permissions for buckets and their contents.

    If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.

    Compute Engine

    Affected Compute Engine features

    Feature Description
    Suspending and resuming a VM instance This feature is disabled.

    Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Local SSDs This feature is disabled.

    You will be unable to create an instance with Local SSDs because they cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Suspending and resuming a VM instance This feature is disabled.

    Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot be encrypted using CMEK.

    This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
    Local SSDs This feature is disabled.

    You will be unable to create an instance with Local SSDs because they cannot be encrypted using CMEK.

    This feature is disabled by the gcp.restrictNonCmekServices organization policy constraint.
    Guest environment It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

    These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

    For more information, see Building a custom image .
    OS policies in VM Manager Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Don't include any sensitive information in these files. Consider storing these scripts and output files in Cloud Storage buckets. For more information, see Example OS policies .

    If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint.

    For more information, see Constraints for OS Config .
    instances.getSerialPortOutput() This API is disabled. You will be unable to get serial port output from the specified instance using this API.

    Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .
    instances.getScreenshot() This API is disabled. You will be unable to get a screenshot from the specified instance using this API.

    Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .

    Compute Engine organization policy constraints

    Organization policy constraint
    Description
    compute.enableComplianceMemoryProtection
    Set to True .

    Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.disableGlobalCloudArmorPolicy
    Set to True .

    Disables the creation of new global Google Cloud Armor security policies and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.

    compute.disableInstanceDataAccessApis
    Set to True .

    Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

    Enabling this constraint prevents you from generating credentials on Windows Server VMs .

    If you need to manage a username and password on a Windows VM, do the following:
    1. Enable SSH for Windows VMs .
    2. Run the following command to change the VM's password: 
        
gcloud  
compute  
ssh  
 VM_NAME 
  
--command  
 "net user USERNAME 
 PASSWORD 
"
      Replace the following:
      • VM_NAME : The name of the VM you're setting the password for.
      • USERNAME : The username of the user who you're setting the password for.
      • PASSWORD : The new password.
    compute.disableSshInBrowser
    Set to True .

    Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.restrictNonConfidentialComputing

    (Optional) Value is not set. Set this value to provide additional defense-in-depth. For more information, see the Confidential VM documentation .
    compute.trustedImageProjects

    (Optional) Value is not set. Set this value to provide additional defense-in-depth.

    Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

    Dataplex Universal Catalog

    Dataplex Universal Catalog features

    Feature Description
    Attribute Store This feature is deprecated and disabled.
    Data Catalog This feature is deprecated and disabled. You cannot search through nor manage your metadata in Data Catalog.
    Lakes and Zones This feature is disabled. You cannot manage lakes, zones and tasks.

    Dataproc

    Affected Dataproc features

    Feature Description
    Google Cloud console Dataproc does not currently support the Jurisdictional Google Cloud console . To enforce data residency, ensure that you use either the Google Cloud CLI or the API when using Dataproc.

    Google Cloud Armor

    Affected Google Cloud Armor features

    Feature Description
    Globally scoped security policies This feature is disabled by the compute.disableGlobalCloudArmorPolicy organization policy constraint.

    Google Kubernetes Engine

    Google Kubernetes Engine organization policy constraints

    Organization policy constraint Description
    container.restrictNoncompliantDiagnosticDataAccess Set to True .

    Disables aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload.

    Changing this value may affect your workload's data residency or data sovereignty.

    Spanner

    Affected Spanner features

    Feature Description
    Split boundaries Spanner uses a small subset of primary keys and indexed columns to define split boundaries , which may include customer data and metadata. A split boundary in Spanner denotes the location where contiguous ranges of rows are split into smaller pieces.

    These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Sovereign Controls by Partners.

    Spanner organization policy constraints

    Organization policy constraint Description
    spanner.assuredWorkloadsAdvancedServiceControls Set to True .

    Applies additional data sovereignty and supportability controls to Spanner resources.
    spanner.disableMultiRegionInstanceIfNoLocationSelected Set to True .

    Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: