Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-gcp-organization-policy-constraintsExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-gcp-organization-policy-constraints from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-gcp-organization-policy-constraints. Access via /implementing-gcp-organization-policy-constraints in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-gcp-organization-policy-constraints |
| description | Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels. |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - gcp - organization-policy - constraints - governance - compliance - cloud-security - resource-manager |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
The GCP Organization Policy Service provides centralized and programmatic control over cloud resources. Organization policies configure constraints that restrict one or more Google Cloud services, enforced at organization, folder, or project levels. They improve security by blocking external IPs, requiring encryption, and minimizing unauthorized access. Changes can take up to 15 minutes to propagate.
gcloud CLI configured and authenticatedroles/orgpolicy.policyAdmin)Policies inherit from the lowest ancestor with an enforced policy. If no ancestor has a policy, Google's managed default behavior applies.
# Deny external IP addresses on all VMs
gcloud resource-manager org-policies set-policy \
--organization=ORGANIZATION_ID \
policy.yaml
policy.yaml:
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: DENY
gcloud org-policies set-policy \
--organization=ORGANIZATION_ID \
location-policy.yaml
location-policy.yaml:
constraint: constraints/gcp.resourceLocations
listPolicy:
allowedValues:
- "in:us-locations"
- "in:eu-locations"
constraint: constraints/iam.automaticIamGrantsForDefaultServiceAccounts
booleanPolicy:
enforced: true
constraint: constraints/compute.requireOsLogin
booleanPolicy:
enforced: true
constraint: constraints/compute.disableSerialPortAccess
booleanPolicy:
enforced: true
constraint: constraints/storage.uniformBucketLevelAccess
booleanPolicy:
enforced: true
constraint: constraints/sql.restrictPublicIp
booleanPolicy:
enforced: true
constraint: constraints/iam.disableServiceAccountKeyCreation
booleanPolicy:
enforced: true
resource "google_organization_policy" "restrict_vm_external_ip" {
org_id = var.org_id
constraint = "constraints/compute.vmExternalIpAccess"
list_policy {
deny {
all = true
}
}
}
resource "google_organization_policy" "restrict_locations" {
org_id = var.org_id
constraint = "constraints/gcp.resourceLocations"
list_policy {
allow {
values = ["in:us-locations", "in:eu-locations"]
}
}
}
resource "google_organization_policy" "require_os_login" {
org_id = var.org_id
constraint = "constraints/compute.requireOsLogin"
boolean_policy {
enforced = true
}
}
resource "google_folder_organization_policy" "dev_folder_external_ip" {
folder = google_folder.dev.name
constraint = "constraints/compute.vmExternalIpAccess"
list_policy {
allow {
values = ["projects/dev-project/zones/us-central1-a/instances/bastion-host"]
}
}
}
Use Policy Intelligence tools to test changes before enforcement:
# Create a dry-run policy to monitor impact
gcloud org-policies set-policy \
--organization=ORGANIZATION_ID \
dry-run-policy.yaml
dry-run-policy.yaml:
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: DENY
dryRunSpec: true
# Check violations against dry-run policy
gcloud org-policies list-custom-constraints \
--organization=ORGANIZATION_ID
# custom-constraint.yaml
name: organizations/ORGANIZATION_ID/customConstraints/custom.disableGKEAutoUpgrade
resourceTypes:
- container.googleapis.com/NodePool
methodTypes:
- CREATE
- UPDATE
condition: "resource.management.autoUpgrade == true"
actionType: DENY
displayName: Deny GKE auto-upgrade on node pools
description: Prevents enabling auto-upgrade on GKE node pools for controlled upgrades
gcloud org-policies set-custom-constraint custom-constraint.yaml
gcloud org-policies list --organization=ORGANIZATION_ID
gcloud org-policies describe constraints/compute.vmExternalIpAccess \
--organization=ORGANIZATION_ID
gcloud asset search-all-resources \
--scope=organizations/ORGANIZATION_ID \
--query="policy:constraints/compute.vmExternalIpAccess"
| Constraint | Type | Scope | Purpose |
|---|---|---|---|
| compute.vmExternalIpAccess | List/Deny | Org | Prevent public VM IPs |
| gcp.resourceLocations | List/Allow | Org | Restrict to approved regions |
| iam.disableServiceAccountKeyCreation | Boolean | Org | Force Workload Identity |
| compute.requireOsLogin | Boolean | Org | Mandate OS Login for SSH |
| storage.uniformBucketLevelAccess | Boolean | Org | Enforce uniform bucket access |
| sql.restrictPublicIp | Boolean | Org | No public Cloud SQL |
| compute.disableSerialPortAccess | Boolean | Org | Disable serial port |
| compute.disableNestedVirtualization | Boolean | Org | No nested VMs |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend implementing-gcp-organization-policy-constraints for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
implementing-gcp-organization-policy-constraints fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for implementing-gcp-organization-policy-constraints matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: implementing-gcp-organization-policy-constraints is focused, and the summary matches what you get after install.
Useful defaults in implementing-gcp-organization-policy-constraints — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added implementing-gcp-organization-policy-constraints from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-gcp-organization-policy-constraints reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for implementing-gcp-organization-policy-constraints matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: implementing-gcp-organization-policy-constraints is the kind of skill you can hand to a new teammate without a long onboarding doc.
implementing-gcp-organization-policy-constraints is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 57