Cloud security policies in GCP: How to set them up using Terraform

Enhance GCP security with cloud security policies. Implement best practices, use Terraform, and leverage GCP tools for robust protection.


With the growing popularity of cloud services, robust cloud security policies are essential. These policies protect against unauthorised access, data breaches and cyber-attacks. Organisations that adopt cloud security policies create a secure framework and protect critical assets.

Data breaches and cyber threats have the potential to cripple businesses overnight. This means the integration of stringent security measures is imperative. This is where the Google Cloud Platform (GCP) steps in as a reliable ally. By combining the capabilities of GCP with the implementation of robust security policies, organisations create a multi-layered defence encompassing cutting-edge technology and comprehensive protocols. 

Automating security policies through tools like Terraform introduces a new level of efficiency and consistency. Terraform’s ability to define and provision infrastructure as code empowers organisations to codify their security policies, making them easily replicable and less prone to human error.

This article shows how to make Google Cloud Platform (GCP) more secure using Terraform, cloud security policies, security benchmarks and automation. The outlined steps clarify how to automate the management of cloud security policies. This guarantees seamless and effective compliance across your cloud infrastructure.

What are cloud security policies? 

Cloud security policies are the solid foundation upon which organisations build a shield to protect their digital assets in the cloud. These policies are a mix of rules, guidelines and proven best practices. They are the first line of defence in protecting an organisation’s most valuable assets – its data, applications, and resources stored in the cloud.

Let’s take a closer look at the three pillars of cloud security policies:

  • Rules act as clear-cut guidelines determining how things should operate digitally. These rules often originate from legal and regulatory frameworks and lay the essential groundwork for securing sensitive information and digital activities.
  • Guidelines provide organisations with a roadmap to navigate the complexities of cloud computing. Guidelines are a way to improve cloud security through a careful combination of industry insight, real-world experience and knowledge of the threat landscape.
  • Best practices emerge as a collection of knowledge gained from successes and challenges in cloud security. These practices represent a distillation of lessons learned, encapsulating proven methods for safeguarding cloud environments from various threats.

Cloud security policies outline a blueprint for achieving the ultimate goal of cloud security: ensuring that cloud-based assets remain confidential, integral, and available. 

Google, for example, makes it easier for organisations to include cloud security policies in their cloud environment. Organisations can use the CIS Google Cloud Computing Platform Benchmarks as a reference for implementing security policies on GCP, providing secure configuration guidelines for:

  • Identity and Access Management
  • Logging and Monitoring
  • Networking
  • Virtual Machines
  • Storage
  • Database services and BigQuery

Cloud security policies in GCP

Cloud security policies within the Google Cloud Platform (GCP) serve as the linchpin for protecting an organisation’s digital assets against cyber threats in the dynamic landscape of cloud computing.

GCP cloud security policies are a roadmap for constructing a robust security stance. By defining a clear set of rules and guidelines, these policies provide organisations with a structured path to ensure their digital assets’ confidentiality, integrity, and availability. Organisations can therefore refer to the GCP organisation policy constraint to ensure trusted and secure cloud operations.

Benefits of GCP cloud security policies

The adoption of GCP cloud security policies brings forth a range of benefits. A significant advantage lies in establishing a cohesive and unified security stance throughout an organisation’s cloud environment. This consistency minimises the likelihood of security gaps and reinforces protection, especially amidst the complex landscape of cloud operations.

The GCP Organizational Policy Service empowers companies to draft and enforce cloud security policies that guard against cyber threats and unauthorised access, maintain data integrity, and adhere to industry standards.

Google gives us several ways to do so. One of them is the Organization Policy

What is Organization Policy?

Google offers the Organization Policy Service as a specialised feature within the Google Cloud Platform (GCP). Organization Policy establishes your organisation’s security and compliance. You employ Organization Policy to apply constraints that define permissible resource configurations in your organisation.

Now, let’s look into the functionality of these constraints.


As shown above, an Organisation Policy Administrator sets limitations using Organisation Policies. These policies are applied at multiple levels to enforce restrictions on resources and their descendants. To create a policy, select a constraint – a targeted restriction on Google Cloud services – and then configure it. Descendants of the selected node inherit the policy, and applying it to the root organisation node ensures broad enforcement and restriction configuration.

Let’s assume this node exists at the folder level for our purposes.

After defining the policy, the designated GCP service will enforce it automatically. Furthermore, all resources falling under the folder’s scope will adopt the policy, maintaining consistent application across the hierarchy.

Let’s see how you can automate cloud security policy deployment.

Advantages of Policy as Code

Once we identify the security policies, we can explore how to implement them. The recommended method involves the policy-as-code paradigm, which offers distinct advantages. This approach automates deploying and managing GCP resources, minimising human errors. It also enhances the visibility of security policies, enabling tracking changes, conducting audits, and maintaining an auditable history of policy revisions.

You can implement policies as code in GCP through two effective methods:

  1. Google Cloud Deployment Manager: This service automates creating and managing GCP resources, including policies as code.
  2. Terraform: An open-source infrastructure-as-code software tool, Terraform offers a consistent CLI workflow for managing various cloud services, allowing you to create and manage policies as code.

Terraform’s open-source nature, multi-cloud compatibility and ease of use make it a superior option for implementing cloud security policies as code in GCP compared to Google Cloud Deployment Manager, which lacks these benefits. Terraform’s widespread adoption makes it the obvious choice for efficient policy implementation in cloud environments. Finally, Terraform helps reduce the risk of vendor lock-in and works with both on-premises and cloud infrastructure.

Let’s take a quick look at the key benefits for organisations using Terraform to manage security policies in the cloud.

Leveraging Terraform for cloud security policies

Terraform’s capabilities extend beyond its role in provisioning and maintaining Google Cloud Platform (GCP) resources. It also helps reduce human error, provides change tracking and preserves policy history. Specifically, Terraform allows policies to be defined using HashiCorp Configuration Language (HCL) or JSON syntax, providing versatility that addresses various security concerns such as IAM, network security, encryption and logging. These adaptable methods help organisations efficiently implement policies, automate resource management and ensure compliance within cloud infrastructures.

Let’s take a look at some practical examples.

How to implement cloud security policies with Terraform

When strengthening cloud security with Terraform, you take a comprehensive range of measures to ensure robust protection and compliance, including:

  1. Disabling Global Access to VM Serial Ports for Compute Engine Services
  2. Restricting TLS Versions
  3. Enforcing Public Access Prevention for Cloud Storage services
  4. Configuring Shielded VMs for Compute Engine Services
  5. Setting service account key expiry duration for Identity and Access Management

These policies hold utmost importance as they are prone to setup errors, posing a significant risk. We will implement these policies using Terraform’s org-policy module, which streamlines the management of organisational policies within the GCP environment. 

Simpler cloud security with the org-policy module

Terraform’s org-policy module makes managing organisation policies for your Google Cloud environment easier. Org Policies help organisations ensure compliance more effectively than Identity and Access Management (IAM), which deals with user access to resources. Benefits include:

  • Improved security and reduced operational burden for cloud users. Org policies prevent breaches, saving on detection and remediation costs
  • For regions with strict data residency rules, the Location org policy maps resources to a specific cloud region. 
  • Administrators can use a custom Org Policy to restrict unverified images in Google Kubernetes Engine (GKE) or Cloud Run. This ensures that only trusted deployments are allowed by blocking the creation or update of clusters without proper authorisation.

Now let’s acquaint ourselves with the variables used and examine the implementation examples.

policy_forDetermines the level you want to implement the policy.
constraintSpecify the name of the policy to be set by GCP (you can see the full list here)
project_id and organisation_idBoth variables set parameters for your GCP environment
policy_typeWe distinguish two types of constraint: “boolean” true/false for enforcing that, or “list” when we should add information about list length and set variables with square brackets [ ].
You can refer to the complete list of variables here

Disable Global Access to VM Serial Ports for Compute Engine services

This Constraint disables global serial port access for Compute Engine VMs. By default, users can enable serial port access for Compute Engine VMs.

module "disableGlobalSerialPortAccess" {
  source        	= "terraform-google-modules/org-policy/google"
  version       	= "~> 5.2.2"
  policy_for    	= "project"
  project_id    	= "XXXXXXXXX"
  constraint    	= "constraints/compute.disableGlobalSerialPortAccess"
  policy_type   	= "boolean"
  organisation_id   = "XXXXXXXXX"
  enforce       	= true

Restrict TLS Versions

This Constraint defines the set of TLS versions that cannot be used. By default, all TLS versions are allowed.

module "restrictTLSVersion" {
  source        	= "terraform-google-modules/org-policy/google"
  version       	= "~> 5.2.2"
  policy_for    	= "project"
  project_id    	= "XXXXXXXXX"
  constraint    	= "constraints/gcp.restrictTLSVersion"
  policy_type   	= "list"
  organisation_id   = "XXXXXXXXX"
  deny         	= ["TLS_VERSION_1", "TLS_VERSION_1_1"]
  deny_list_length = 2

Enforce Public Access Prevention for Cloud Storage services

Protect your Cloud Storage data from public exposure by enforcing public access prevention.

module "publicAccessPrevention" {
  source        	= "terraform-google-modules/org-policy/google"
  version       	= "~> 5.2.2"
  policy_for    	= "project"
  project_id    	= "XXXXXXXXX"
  constraint    	= "constraints/storage.publicAccessPrevention"
  policy_type   	= "boolean"
  organisation_id   = "XXXXXXXXX"
  enforce       	= true

Shielded VMs for Compute Engine services

This Constraint, when set to True, requires that all new Compute Engine VM instances use shielded disk images with Secure Boot, vTPM and Integrity Monitoring options enabled.

module "shieldedvm" {
  source        	= "terraform-google-modules/org-policy/google"
  version       	= "~> 5.2.2"
  policy_for    	= "project"
  project_id    	= "XXXXXXXXX"
  constraint     	= "constraints/compute.requireShieldedVm"
  policy_type   	= "boolean"
  organisation_id   = "XXXXXXXXX"
  enforce       	= true

Service account key expiry duration in hours for Identity and Access Management

This Constraint establishes the maximum time for service account key expiration. By default, the system creates keys that never expire.

module "serviceaccountskeyrotation"{
  source        	= "terraform-google-modules/org-policy/google"
  version       	= "~> 5.2.2"
  policy_for    	= "project"
  project_id    	= "XXXXXXXXX"
  constraint    	= "constraints/iam.serviceAccountKeyExpiryHours"
  policy_type   	= "list"
  organisation_id   = "XXXXXXXXX"
  allow        	= ["2160h"] // 90 days
  allow_list_length = 1

Of course, you must also configure Terraform and its permissions and set it up as a Google Cloud provider. We recommend this reference to get you started. 

You must also enable the orgpolicy API to configure governance rules on Google Cloud resources.

# Enable the organisation Policy API
resource "google_project_service" "orgpolicy_api" {
  service = ""
  project = "XXXXXXXXX"

That’s it! As you can see, it’s not as difficult as it might seem at first.

Final thoughts: cloud security policies, automation and full compliance

We hope this article will serve as a guide for strengthening your cloud security on the Google Cloud Platform (GCP). Cloud security policies are the cornerstone, providing a comprehensive framework of rules, guidelines and best practices to protect valuable digital assets from modern cyber threats.

GCP’s provision of the CIS Google Cloud Computing Platform Benchmarks provides a tangible pathway for implementing security policies effectively. The Organization Policy Service within GCP stands as a linchpin, allowing you to enforce constraints and ensure consistent security configurations across all levels of their cloud infrastructure.

Implementing these security measures as code through Terraform emerges as a game-changing strategy. Terraform’s versatility, ease of use, and adaptability enable you to seamlessly automate security policy deployment and resource management, effectively minimising errors and maintaining compliance.

Using the approach outlined in this article, you ensure comprehensive compliance across your cloud infrastructure and strengthen your organisation’s security posture:

  • Leverage the Organization Policy Service: Understand how organisational policies establish security and compliance.
  • Align with GCP constraints: Efficiently implement security requirements by aligning them with GCP organisational policy constraints.
  • Deploy policies as code: Explore the benefits of policies as code and apply them using Terraform.
  • Practical Illustrations: Gain insights from practical scenarios such as enforcing public access prevention for cloud storage and other real-world cases.

This article equips you with a roadmap for strengthening your cloud security posture. By adopting cloud security policies, leveraging GCP tools and adopting the policy-as-code paradigm, you can ensure the security, integrity and availability of your cloud-based assets while navigating the complex terrain of cloud computing.

If you like this article, we recommend reading the following:

Why digital transformation is essential for business growth: Efficiency in today’s business landscape → 

How to set up a Bazel testing configuration: The comprehensive guide for Scala and Java

How to improve agility: Make your team adaptable and agile again

Article tags

Written by

Mateusz Borowski Cloud Security Engineer Aug 23, 2023