Anthropic-Cybersecurity-Skills/skills/implementing-gcp-organization-policy-constraints/references/workflows.md

Workflows - GCP Organization Policy Constraints

Implementation Workflow

1. Inventory Phase
   ├── List all existing organization policies
   ├── Identify current resource configurations
   ├── Map compliance requirements to constraints
   └── Document exceptions needed per team/project

2. Design Phase
   ├── Select constraints for baseline enforcement
   ├── Define exception policies for specific folders/projects
   ├── Plan hierarchy (Org → Folder → Project overrides)
   └── Document policy inheritance chain

3. Testing Phase
   ├── Deploy constraints in dry-run mode
   ├── Monitor violation logs for 2-4 weeks
   ├── Identify legitimate use cases requiring exceptions
   └── Refine policies based on dry-run results

4. Enforcement Phase
   ├── Convert dry-run policies to enforced mode
   ├── Apply exceptions at appropriate hierarchy level
   ├── Communicate changes to engineering teams
   └── Monitor for new violations

5. Ongoing Governance
   ├── Review policies quarterly
   ├── Audit exception requests
   ├── Update constraints for new GCP services
   └── Integrate with change management process

Exception Management Workflow

1. Request → Developer requests exception for specific constraint
2. Review → Security team evaluates risk and business justification
3. Approve → Exception approved with scope (project/folder) and duration
4. Implement → Policy override applied at lowest necessary scope
5. Audit → Regular review of active exceptions
6. Expire → Time-bound exceptions automatically revert