Kingdom of Saudi Arabia Data Boundary Advanced by CNTXT

Google Cloud console

To access the Google Cloud console when using the Kingdom of Saudi Arabia Data Boundary Advanced by CNTXT control package, you must use one of the following URLs:

• console.sa.cloud.google.com
• console.sa.cloud.google for federated identity users

gcp.resourceLocations

Set to the following locations in the allowedValues list:

• me-central2

This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can be restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and cannot be restricted.

Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.

gcp.restrictNonCmekServices

Set to a list of all in-scope API service names , including:

• aiplatform.googleapis.com
• artifactregistry.googleapis.com
• bigquery.googleapis.com
• bigquerydatatransfer.googleapis.com
• bigtable.googleapis.com
• cloudfunctions.googleapis.com
• composer.googleapis.com
• compute.googleapis.com
• container.googleapis.com
• dataflow.googleapis.com
• dataproc.googleapis.com
• documentai.googleapis.com
• integrations.googleapis.com
• logging.googleapis.com
• notebooks.googleapis.com
• pubsub.googleapis.com
• run.googleapis.com
• secretmanager.googleapis.com
• spanner.googleapis.com
• sqladmin.googleapis.com
• storage.googleapis.com
• workstations.googleapis.com

Some features may be affected for each of the services listed above.

Each listed service requires Customer-managed encryption keys (CMEK) . CMEK encrypts at-rest data with a key managed by you, not Google's default encryption mechanisms.

Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.

gcp.restrictServiceUsage

Set to allow all supported products and API endpoints .

Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .

gcp.restrictTLSVersion

Set to deny the following TLS versions:

• TLS_1_0
• TLS_1_1

For more information, see Restrict TLS versions .

Enabling BigQuery on a new folder

BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete the following steps:

1. In the Google Cloud console, go to the Assured Workloads page.

   Go to Assured Workloads

2. Select your new Assured Workloads folder from the list.
3. On the Folder Details page in the Allowed services section, click Review Available Updates .
4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.
   
   If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .

After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

Gemini in BigQuery is not supported by Assured Workloads.

Unsupported features

The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Sovereign Controls by Partners.

• Interaction with remote data sources
• Externally-trained BQML models are not supported. Internally-trained BQML models are supported.
• Dynamic data masking
• GDrive export
• Remote functions
• Saved queries
• Workflow scheduling
• For BigQuery Studio, notebooks are unsupported.
• Gemini in BigQuery is not supported.

Unsupported integrations

The following BigQuery integrations are not supported. It's your responsibility not to use them with BigQuery for Sovereign Controls by Partners.

• The CreateTag , SearchCatalog , Bulk tagging , and Business Glossary API methods of the Data Catalog API process and store technical data in a way that is not supported. It's your responsibility not to use those methods for Sovereign Controls by Partners.

Supported BigQuery APIs

The following BigQuery APIs are supported:

• Datasets
• Jobs
• Models
• Projects
• Reservations
• Routines
• Row Access Policies
• Storage Read
• Storage Write
• Tables
• Table Data

BigQuery CLI

Google Cloud SDK

You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.

Administrator controls

BigQuery will disable unsupported APIs but administrators with sufficient permissions to create Sovereign Controls by Partners folders can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard .

Loading data

BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Kingdom of Saudi Arabia Data Boundary Advanced by CNTXT workloads.

Third-party transfers

BigQuery doesn't verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.

Non-compliant BQML models

Externally-trained BQML models are not supported.

Query jobs

Query jobs should only be created within Sovereign Controls by Partners folders.

Queries on datasets in other projects

BigQuery doesn't prevent Sovereign Controls by Partners datasets from being queried from non-Sovereign Controls by Partners projects. You should ensure that any query that has a read or a join on Sovereign Controls by Partners data be placed in Sovereign Controls by Partners folders. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.

Cloud Logging

BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

For more information, see Regionalize your logs .

cloudkms.allowedProtectionLevels

Set to allow creation of Cloud Key Management Service CryptoKeys with the following protection levels:

• EXTERNAL
• EXTERNAL_VPC

See Protection levels for more information.

Google Cloud console

Cloud Load Balancing features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

Regional load balancers

You must use only regional load balancers with Kingdom of Saudi Arabia Data Boundary Advanced by CNTXT. For more information about configuring regional load balancers, see the following pages:

• Internal Application Load Balancer
• Regional external Application Load Balancer
• Internal passthrough Network Load Balancer
• External passthrough Network Load Balancer

Unsupported features

The following Cloud Run features aren't supported:

• Cloud Trace integration
• Cloud Run functions
• Eventarc triggers

storage.restrictAuthTypes

Set to prevent authentication using hash-based message authentication code (HMAC). The following types are specified in this constraint value:

• USER_ACCOUNT_HMAC_SIGNED_REQUESTS
• SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS

By default, HMAC keys are prevented from authenticating to Cloud Storage resources for Kingdom of Saudi Arabia Data Boundary Advanced by CNTXT workloads. HMAC keys affect data sovereignty because they can be used to access customer data without customer knowledge. See HMAC keys in the Cloud Storage docs.

Changing this value may affect data sovereignty in your workload; we highly recommend keeping the set value.

storage.uniformBucketLevelAccess

Set to True .

Access to new buckets is managed using IAM policies instead of Cloud Storage Access control lists (ACLs) . This constraint provides fine-grained permissions for buckets and their contents.

If a bucket is created while this constraint is enabled, access to it can never be managed by using ACLs. In other words, the access control method for a bucket is permanently set to using IAM policies instead of Cloud Storage ACLs.

Suspending and resuming a VM instance

This feature is disabled.

Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.

Local SSDs

This feature is disabled.

You will be unable to create an instance with Local SSDs because they cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.

Google Cloud console

The following Compute Engine features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead:

• Health checks
• Network endpoint groups

Adding an instance group to a global load balancer

You cannot add an instance group to a global load balancer.

This feature is disabled by the compute.disableGlobalLoadBalancing organization policy constraint.

Guest environment

It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

For more information, see Building a custom image .

OS policies in VM Manager

Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Don't include any sensitive information in these files. Consider storing these scripts and output files in Cloud Storage buckets. For more information, see Example OS policies .

If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint.

For more information, see Constraints for OS Config .

instances.getSerialPortOutput()

This API is disabled. You will be unable to get serial port output from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .

instances.getScreenshot()

This API is disabled. You will be unable to get a screenshot from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project .

compute.enableComplianceMemoryProtection

Set to True .

Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

Changing this value may affect your workload's data residency or data sovereignty.

compute.disableGlobalCloudArmorPolicy

Set to True .

Disables the creation of new global Google Cloud Armor security policies and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.

compute.disableGlobalLoadBalancing

Set to True .

Disables creation of global load balancing products.

Changing this value may affect your workload's data residency or data sovereignty.

compute.disableInstanceDataAccessApis

Set to True .

Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

Enabling this constraint prevents you from generating credentials on Windows Server VMs .

If you need to manage a username and password on a Windows VM, do the following:

1. Enable SSH for Windows VMs .
2. Run the following command to change the VM's password:

     
   gcloud  
   compute  
   ssh  
    VM_NAME 
     
   --command  
    "net user USERNAME 
    PASSWORD 
   " 
     
   

   Replace the following:
   • VM_NAME : The name of the VM you're setting the password for.
   • USERNAME : The username of the user who you're setting the password for.
   • PASSWORD : The new password.

compute.disableSshInBrowser

Set to True .

Disables the SSH-in-browser tool in the Google Cloud console for VMs that use OS Login and App Engine flexible environment environment VMs.

Changing this value may affect your workload's data residency or data sovereignty.

compute.restrictNonConfidentialComputing

(Optional) Value is not set. Set this value to provide additional defense-in-depth. For more information, see the Confidential VM documentation .

compute.trustedImageProjects