The names for some Assured Workloads control packages have changed. For information about the name change, see Control package renaming notice .

Kingdom of Saudi Arabia (KSA) Data Boundary with Access Justifications

This page describes the restrictions, limitations, and other configuration options when using the KSA Data Boundary with Access Justifications control package.

Overview

The KSA Data Boundary with Access Justifications control package enables data access control and data residency features for supported Google Cloud products . Some of these services' features are restricted or limited by Google to be compatible with KSA Data Boundary with Access Justifications. Most of these restrictions and limitations are applied when creating a new Assured Workloads folder for KSA Data Boundary with Access Justifications. However, some of them can be changed later by modifying organization policies . Additionally, some restrictions and limitations require user responsibility for adherence.

It's important to understand how these restrictions modify the behavior for a given Google Cloud service or affect data access or data residency . For example, some features or capabilities may be automatically disabled to ensure that data access restrictions and data residency are maintained. Additionally, if an organization policy setting is changed, it might have the unintended consequence of copying data from one region to another.

Supported services

Unless otherwise noted, users can access all supported services through the Google Cloud console.

The following services are compatible with KSA Data Boundary with Access Justifications:

Supported product

API endpoints

Restrictions or limitations

Access Approval

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

accessapproval.googleapis.com

None

Access Context Manager

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

accesscontextmanager.googleapis.com

None

Artifact Registry

Regional API endpoints:

artifactregistry.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

artifactregistry.googleapis.com

None

BigQuery

Regional API endpoints:

bigquery.me-central2.rep.googleapis.com
bigqueryconnection.me-central2.rep.googleapis.com
bigqueryreservation.me-central2.rep.googleapis.com
bigquerystorage.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

bigquery.googleapis.com
bigqueryconnection.googleapis.com
bigquerydatapolicy.googleapis.com
bigqueryreservation.googleapis.com
bigquerystorage.googleapis.com

None

Bigtable

Regional API endpoints:

bigtable.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

bigtable.googleapis.com
bigtableadmin.googleapis.com

None

Certificate Authority Service

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

privateca.googleapis.com

None

Cloud Build

Regional API endpoints:

cloudbuild.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

cloudbuild.googleapis.com

None

Cloud DNS

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

dns.googleapis.com

None

Cloud HSM

Regional API endpoints:

cloudkms.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

cloudkms.googleapis.com

None

Cloud Interconnect

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

Affected features

Cloud Key Management Service (Cloud KMS)

Regional API endpoints:

cloudkms.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

cloudkms.googleapis.com

None

Cloud Load Balancing

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

None

Cloud Logging

Regional API endpoints:

logging.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

logging.googleapis.com

None

Cloud Monitoring

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

monitoring.googleapis.com

Affected features

Cloud NAT

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

None

Cloud Router

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

None

Cloud Run

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

run.googleapis.com

Affected features

Cloud SQL

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

sqladmin.googleapis.com

None

Cloud Service Mesh

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

mesh.googleapis.com
meshconfig.googleapis.com
trafficdirector.googleapis.com
networkservices.google.com

None

Cloud Storage

Regional API endpoints:

storage.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

storage.googleapis.com

Affected features

Cloud VPN

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

Affected features

Compute Engine

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

Affected features and organization policy constraints

Connect

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

gkeconnect.googleapis.com
connectgateway.googleapis.com

None

Dataflow

Regional API endpoints:

dataflow.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

dataflow.googleapis.com
datapipelines.googleapis.com

None

Dataplex Universal Catalog

Regional API endpoints:

dataplex.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

dataplex.googleapis.com
datalineage.googleapis.com

Affected features

Dataproc

Regional API endpoints:

dataproc.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

dataproc-control.googleapis.com
dataproc.googleapis.com

None

Essential Contacts

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

essentialcontacts.googleapis.com

None

Filestore

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

file.googleapis.com

None

GKE Hub

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

gkehub.googleapis.com

None

GKE Identity Service

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

anthosidentityservice.googleapis.com

None

Google Cloud Armor

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

Affected features

Google Cloud console

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

N/A

None

Google Kubernetes Engine

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

container.googleapis.com
containersecurity.googleapis.com

Organization policy constraints

Identity and Access Management (IAM)

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

iam.googleapis.com

None

Identity-Aware Proxy (IAP)

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

iap.googleapis.com

None

Memorystore for Redis

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

redis.googleapis.com

None

Network Connectivity Center

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

networkconnectivity.googleapis.com

None

Organization Policy Service

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

orgpolicy.googleapis.com

None

Persistent Disk

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

None

Pub/Sub

Regional API endpoints:

pubsub.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

pubsub.googleapis.com

None

Resource Manager

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

cloudresourcemanager.googleapis.com

None

Resource Settings

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

resourcesettings.googleapis.com

None

Secret Manager

Regional API endpoints:

secretmanager.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

secretmanager.googleapis.com

None

Sensitive Data Protection

Regional API endpoints:

dlp.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

dlp.googleapis.com

None

Service Directory

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

servicedirectory.googleapis.com

None

Spanner

Regional API endpoints:

spanner.me-central2.rep.googleapis.com

Locational API endpoints are not supported.

Global API endpoints:

spanner.googleapis.com

None

VPC Service Controls

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

accesscontextmanager.googleapis.com

None

Virtual Private Cloud (VPC)

Regional API endpoints are not supported.
Locational API endpoints are not supported.

Global API endpoints:

compute.googleapis.com

None

Organization policies

This section describes how each service is affected by the default organization policy constraint values when folders or projects are created using KSA Data Boundary with Access Justifications. Other applicable constraints—even if not set by default—can provide additional "defense-in-depth" to further protect your organization's Google Cloud resources.

Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization policy constraint Description

gcp.resourceLocations Set to in:sa-locations as the allowedValues list item.

This value restricts creation of any new resources to the me-central2 value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of KSA. See Resource locations supported services for a list of resources that can be restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable.

Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.

gcp.restrictServiceUsage Set to allow all supported services .

Determines which services can be used by restricting runtime access to their resources. For more information, see Restrict resource usage for workloads .

Organization policy constraint	Description
`gcp.resourceLocations`	Set to `in:sa-locations` as the `allowedValues` list item. This value restricts creation of any new resources to the `me-central2` value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of KSA. See Resource locations supported services for a list of resources that can be restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable. Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
`gcp.restrictServiceUsage`	Set to allow all supported services . Determines which services can be used by restricting runtime access to their resources. For more information, see Restrict resource usage for workloads .

Compute Engine organization policy constraints

Organization policy constraint

Description

compute.disableGlobalCloudArmorPolicy

Set to True .

Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.

compute.disableGlobalLoadBalancing

Set to True .

Disables creation of global load balancers.

Changing this value may affect data residency in your workload; we recommend keeping the set value.

compute.disableInstanceDataAccessApis

Set to True .

Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs.

Enabling this organization policy prevents you from generating credentials on Windows Server VMs .

If you need to manage a username and password on a Windows VM, do the following:

Enable SSH for Windows VMs .
Run the following command to change the VM's password:
```
gcloud  
compute  
ssh VM_NAME 
  
--command  
 "net user USERNAME 
 PASSWORD 
" 
```
Replace the following:
- VM_NAME : The name of the VM you're setting the password for.
- USERNAME : The username of the user who you're setting the password for.
- PASSWORD : The new password.

compute.enableComplianceMemoryProtection

Set to True .

Disables some internal diagnostic features to provide additional protection of memory contents when an infrastructure fault occurs.

Changing this value may affect data residency in your workload; we recommend keeping the set value.

Google Kubernetes Engine organization policy constraints

Organization policy constraint	Description
`container.restrictNoncompliantDiagnosticDataAccess`	Set to True . Used to disable aggregate analysis of kernel issues, which is required to maintain sovereign control of a workload. Changing this value may affect data sovereignty in your workload; we recommend keeping the set value.

Affected features

This section lists how each service's features or capabilities are affected by KSA Data Boundary with Access Justifications, including user requirements when using a feature.

Bigtable features

Feature	Description
Data Boost	This feature is disabled.

Compute Engine features

Feature

Description

Google Cloud console

The following Compute Engine features are not available in the Google Cloud console. Use the API or Google Cloud CLI where available:

Health checks
Network endpoint groups
Browser-based SSH is disabled

Adding an instance group to a global load balancer

You cannot add an instance group to a global load balancer.

This feature is disabled by the compute.disableGlobalLoadBalancing organization policy constraint.

 instances.getSerialPortOutput()

This API is disabled; you will be unable to get serial port output from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port .

 instances.getScreenshot()

This API is disabled; you will be unable to get a screenshot from the specified instance using this API.

Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port .

Cloud Interconnect features

Feature	Description
High-availability (HA) VPN	You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in this section .

Cloud Monitoring features

Feature	Description
Synthetic Monitor	This feature is disabled.
Uptime check	This feature is disabled.
Log panel widgets in Dashboards	This feature is disabled. You cannot add a log panel to a dashboard.
Error reporting panel widgets in Dashboards	This feature is disabled. You cannot add an error reporting panel to a dashboard.
Filter in `EventAnnotation` for Dashboards	This feature is disabled. Filter of `EventAnnotation` cannot be set in a dashboard.
`SqlCondition` in `alertPolicies`	This feature is disabled. You cannot add a `SqlCondition` to an `alertPolicy` .

Cloud Run features

Feature

Description

Unsupported features

The following Cloud Run features aren't supported:

Cloud Storage features

Feature	Description
Google Cloud console	It is your responsibility to use the Jurisdictional Google Cloud console for KSA Data Boundary with Access Justifications. The Jurisdictional console prevents uploading and downloading Cloud Storage objects. To upload and download Cloud Storage objects, see the following Compliant API endpoints row.
Compliant API endpoints	It is your responsibility to use one of the locational endpoints with Cloud Storage. See Cloud Storage locations for more information.

Google Cloud Armor features

Feature	Description
Globally scoped security policies	This feature is disabled by the `compute.disableGlobalCloudArmorPolicy` organization policy constraint.

Cloud VPN features

Feature	Description
Google Cloud console	Cloud VPN features are not available in the Google Cloud console. Use the API or Google Cloud CLI instead.

Dataplex Universal Catalog features

Feature	Description
Aspects and glossaries metadata	Aspects and glossaries and are not supported. You can't search for or manage aspects and glossaries, nor can you import custom metadata.
Attribute Store	This feature is deprecated and disabled.
Data Catalog	This feature is deprecated and disabled. You cannot search through nor manage your metadata in Data Catalog.
Data Quality and Data Profile Scan	Export of Data Quality Scan results is not supported.
Discovery	This feature is disabled. You cannot run the Discovery scans to extract metadata from your data.
Lakes and Zones	This feature is disabled. You cannot manage lakes, zones and tasks.

Footnotes

1. BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:

In the Google Cloud console, go to the Assured Workloads page.
Go to Assured Workloads
Select your new Assured Workloads folder from the list.
On the Folder Details page in the Allowed services section, click Review Available Updates .
In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .

After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

Gemini in BigQuery is not supported by Assured Workloads.