π‘οΈ Google Cloud folders are not structured by environment and sensitivityπ’βͺ
- Contextual name: π‘οΈ Folders are not structured by environment and sensitivityπ’βͺ
- ID:
/ce/ca/google/project/folders-structured-by-environment-and-sensitivity - Tags:
- βͺ Impossible policy
- π’ Policy with categories
- π’ Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Descriptionβ
Descriptionβ
Google Cloud Resource Manager folders should be structured primarily by environment, such as production, non-production, and sandbox, and by sensitivity, such as security, logging, shared services, or regulated workloads.
Rationaleβ
Folders provide a hierarchy for inherited IAM policies, organization policies, and other guardrails. A folder structure aligned to environment and sensitivity helps apply consistent controls to projects with similar risk profiles. Ad hoc or organization-chart-based structures can make policy inheritance harder to reason about and can mix workloads with different security requirements.
Impactβ
Changing folder structure can affect inherited IAM permissions, organization policies, automation, and operational ownership. Plan and test project moves before applying changes to production workloads.
Auditβ
From Google Cloud Consoleβ
- Open the Google Cloud Console at https://console.cloud.google.com.
- Select the organization.
- Go to
IAM & Admin>Manage resources.- Review the folder hierarchy.
... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Define the target folder hierarchy based on environment and sensitivity.
- Create folders for major environments and sensitive workload groupings.
- Apply organization policies, IAM policies, and guardrails at the appropriate folder levels.
- Move projects into the correct folders after validating inherited policy and permission changes.
- Review the folder hierarchy periodically as projects and compliance requirements change.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ CIS GCP v5.0.0 β πΌ 1.1.3 Ensure Folders Are Structured By Environment And Sensitivity - Level 2 (Manual) | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ General Access Controls | 23 | no data |