Control data exfiltration

Before you begin

To control data exfiltration, you must have the necessary identity and access roles:

  • Project Editor: has access to manage and delete projects. Ask your Organization IAM Admin to grant you the Project Editor (project-editor) role.

Prevent data exfiltration

You can prevent data exfiltration from a GDC project by enabling data exfiltration protection when you create the project.

To enable data exfiltration protection, follow these steps when creating a project:

  1. Within the GDC console, navigate to Projects.
  2. Click the Add Project button to create a project.
  3. Complete the required information for your project on the Project name and Attach clusters pages.
  4. On the Network page, ensure the Enable data exfiltration protection checkbox is checked.
  5. Click Next.
  6. Review the details on the Review page.
  7. Click Create.

Disable data exfiltration protection

By default, a project has data exfiltration protection enabled. The following are the default policies for a project with data exfiltration protection enabled:

  • Allow inbound traffic only from the same project. All other traffic is denied.
  • Allow outbound traffic to all destinations within the same organization. All other traffic is denied, which means that external traffic outside your organization is denied.

With data exfiltration protection enabled, you cannot create ProjectNetworkPolicy resources for outbound traffic.

If you disable data exfiltration protection by clearing the corresponding checkbox in the GDC console for a project, the default policies for the project are the following:

  • Allow inbound traffic only from the same project. All other traffic is denied.
  • Allow outbound traffic to all destinations, including external projects from other organizations.

Work through the following steps to disable data exfiltration protection for a project:

  1. In the GDC console, go to Projects in the navigation menu.
  2. Click the name of the project where you want to disable data exfiltration protection.
  3. Click Edit on the Data exfiltration protection field.
  4. On the Edit data exfiltration protection page, clear the Enable data exfiltration protection checkbox.
  5. Click Save. The Data exfiltration protection field changes its value to Disabled.

You must create ProjectNetworkPolicy egress policies for your projects to restrict the outbound traffic. For more information, see Configure project network policies.