By default, users in your project can create persistent disks or copy images using any of the public images and any images that principals can access through IAM roles. However, in some situations you might want to restrict principals so that they can create boot disks only from images that contain approved software that meets your policy or security requirements.

Limitations:

• Trusted image policies do not restrict access to the following images:
  • Custom images in your local project.
  • Image files in Cloud Storage buckets.
• Trusted image policies do not prevent users from creating image resources in their local projects.

To deny access to all images outside of the custom images in your project, use the following example:

constraint: constraints/compute.trustedImageProjects
listPolicy:
 allValues: DENY