What's new?

• Added prevention examples for the Enforce CMEK for GCP Vertex AI endpoints, Enforce approved foundation models for GCP Vertex AI, and Prohibit consumer Gemini API for GCP objectives, which previously had no example. Each example shows the predefined organization policy to apply: requiring customer-managed encryption keys for Vertex AI via gcp.restrictNonCmekServices, restricting Vertex AI to an approved model allow-list via vertexai.allowedModels and vertexai.allowedGenAIModels, and denying the consumer Gemini API via gcp.restrictServiceUsage.
• Added four GCP Notebooks prevention objectives for Vertex AI Workbench instances: enforce customer-managed encryption keys (CMEK), enforce idle shutdown, enforce no public IP, and enforce root access disabled. Each is evaluated through the corresponding GCP > Notebooks > Instance control, so they require @turbot/gcp-notebooks 5.4.0 or later in the workspace.

Bug fixes

• Fixed the Enforce rotation for GCP API keys and Enforce key rotation for GCP service account keys objectives so age-based key rotation actually works. The previous examples used the GCP > IAM > API Key > Approved and GCP > IAM > Service Account Key > Approved controls, which only re-check when policy inputs change, so the age calculation never ran on a schedule and keys past their rotation age were never flagged. The examples now use GCP > IAM > API Key > Active and GCP > IAM > Service Account Key > Active controls, which re-evaluate on a schedule and correctly enforce the configured max key age.

Prevention Objectives

Added

• Enforce CMEK for GCP Notebooks instances
• Enforce idle shutdown for GCP Notebooks instances
• Enforce no public IP for GCP Notebooks instances
• Enforce root access disabled for GCP Notebooks instances

Prevention Examples

Added

• Enforce CMEK for GCP Vertex AI endpoints
• Enforce approved foundation models for GCP Vertex AI
• Prohibit consumer Gemini API for GCP