Enterprise customers often face challenges in managing multi-team cloud platforms on GCP. Teams often desire flexibility and control over their environments, while central organizations must maintain governance and security. This article outlines a design for a flexible and secure multi-team cloud platform addressing these needs.

Key Design Principles

The proposed design leverages three core components:

IAM (Identity and Access Management): Controls access to resources.

Organization Policies: Defines global rules for the environment.

Hierarchical Firewalls: Provides granular network security.

Empowering Teams with IAM

To give teams flexibility and control, their IaC deployment service accounts are granted specific predefined IAM roles to perform the following functions:

• Create, delete, and move projects
• Create and delete service accounts
• Create and delete folders
• Manage IAM at folder and project level.

These functions enable teams to create and manage their projects, service accounts, and IAM permissions within specified folders. Tags and IAM conditions can restrict these permissions to specific team folders.

Centralized Governance with Organization Policies

The central organization team utilizes organization policies to establish and enforce controls across the entire environment. Some crucial policies include:

• gcp.restrictServiceUsage: Limits the services teams can use.
  
• iam.disableServiceAccountKeyCreation: Prevents the creation of service account keys.
  
• iam.automaticIamGrantsForDefaultServiceAccounts: Restricts automatic IAM grants to default service accounts.
  
• run.allowedBinaryAuthorizationPolicies: Mandates binary authorization for Cloud Run services.
  
• compute.skipDefaultNetworkCreation: Stops the automatic creation of default networks.
  

You can refer to Google Cloud security best practices for an extensive list of recommended policies.

Hierarchical Firewalls

Enforce organization-wide firewall rules, such as blocking all internet outbound traffic from VPCs

Conclusion

This design approach is particularly suitable for organizations with technically proficient teams capable of building their infrastructure. A factory approach might be preferable for organizations with less technical teams.

Additional Considerations

Impersonation Service Accounts: This can securely share service account keys with Terraform pipelines, limiting Terraform’s permissions.

Monitoring and Alerting: Set alerts to detect unauthorized impersonation attempts on deployment service accounts.

Additional Security Controls: Explore using VPC Service Control and BeyondCorp further to enhance the security of your multi-team cloud platform.