This document includes the best practices and guidelines for Cloud Build when running generative AI workloads on Google Cloud. Use Cloud Identity with Vertex AI to unify identity, access, application, and management for Google Cloud.
Required Cloud Identity controls
The following controls are strongly recommended when using Cloud Identity.
Enable two-step verification for super admin accounts
Google recommends Titan Security Keys for 2-step verification (2SV) for super admin accounts. However, for use cases where this isn't possible, we recommend using another security key as an alternative.
- Cloud Identity
- Titan Security Keys
- IA-2
- IA-4
- IA-5
- IA-7
- PR.AC-1.1
- PR.AC-1.2
- PR.AC-1.3
- PR.AC-6.1
- PR.AC-7.1
- PR.AC-7.2
Enforce two-step verification on the super admin organization unit
Enforce 2-step verification (2SV) for a specific organization unit (OU) or the entire organization. We recommend that you create an OU for super admins and enforce 2SV on that OU.
- Cloud Identity
- IA-2
- IA-4
- IA-5
- IA-7
- PR.AC-1.1
- PR.AC-1.2
- PR.AC-1.3
- PR.AC-6.1
- PR.AC-7.1
- PR.AC-7.2
Create an exclusive email address for the primary super admin
- Cloud Identity
- IA-2
- IA-4
- IA-5
- PR.AC-1.1
- PR.AC-1.2
- PR.AC-1.3
- PR.AC-6.1
- PR.AC-7.1
- PR.AC-7.2
Share audit logs from Cloud Identity
If using Cloud Identity, share audit logs from Cloud Identity to Google Cloud.
Admin Activity audit logs from Google Workspace or Cloud Identity are ordinarily managed and viewed in the Google Admin console, separately from your logs in your Google Cloud environment. These logs contain information that is relevant for your Google Cloud environment, such as user login events.
We recommend that you share Cloud Identity audit logs to your Google Cloud environment to centrally manage logs from all sources.
- Google Workspace
- Cloud Logging
- Cloud Identity
- AC-2
- AC-3
- AC-8
- AC-9
- DM.ED-7.1
- DM.ED-7.2
- DM.ED-7.3
- DM.ED-7.4
Create redundant administrator accounts
Don't have a single super admin or Organization Administrator. Create one or more (up to 20) backup administrator accounts. A single super admin or Organization Administrator can result in lockout scenarios. This situation also carries a higher risk as one person can make platform-altering changes, potentially with no oversight.
- Identity and Access Management (IAM)
- Google Workspace
- Cloud Identity
- IA-2
- IA-4
- IA-5
- PR.AC-1.1
- PR.AC-1.2
- PR.AC-1.3
- PR.AC-6.1
- PR.AC-7.1
- PR.AC-7.2
Recommended cloud controls
We recommend that you apply the following Cloud Identity controls to your Google Cloud environment, regardless of your specific use case.
Block access to Cloud Shell for Cloud Identity managed user accounts
To avoid granting excessive access to Google Cloud, block access to Cloud Shell for Cloud Identity managed user accounts.
- Cloud Identity
- Cloud Shell
- SC-7
- SC-8
- PR.AC-5.1
- PR.AC-5.2
- PR.DS-2.1
- PR.DS-2.2
- PR.DS-5.1
- PR.PT-4.1
- DE.CM-1.1
- DE.CM-1.2
- DE.CM-1.3
- DE.CM-1.4
Optional controls
You can optionally implement the following Cloud Identity controls based on your organization's requirements.
Block account self-recovery for super admin accounts
- Cloud Identity
- Google Workspace
- IA-2
- IA-4
- IA-5
- PR.AC-1.1
- PR.AC-1.2
- PR.AC-1.3
- PR.AC-6.1
- PR.AC-7.1
- PR.AC-7.2
Turn off unused Google services
- Cloud Identity
http://admin.google.com > Apps > Additional Google Services
Setting
-
False
- SC-7
- SC-8
- PR.AC-5.1
- PR.AC-5.2
- PR.DS-2.1
- PR.DS-2.2
- PR.DS-5.1
- PR.PT-4.1
- DE.CM-1.1
- DE.CM-1.2
- DE.CM-1.3
- DE.CM-1.4
