Google Cloud offers two organization policy constraints to help ensure CMEKusage across an organization:

• constraints/gcp.restrictNonCmekServices is used to require CMEKprotection.
• constraints/gcp.restrictCmekCryptoKeyProjects is used to limit whichCloud KMS keys are used for CMEK protection.

CMEK organization policies only apply to newly created resources withinsupported Google Cloud services.

Required roles

To ensure that each user has the necessary permissions to check organization policies when creating resources, ask your administrator to grant each user theOrganization Policy Viewer (roles/orgpolicy.policyViewer) IAM role on your organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to check organization policies when creating resources. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to check organization policies when creating resources:

• To view full organization policy details:orgpolicy.policy.get
• To check organization policy when creating resources:orgpolicy.policies.check

Your administrator might also be able to give each user these permissions withcustom roles or otherpredefined roles.

When organization policies are active, theorgpolicy.policies.check permissionis required for Google Cloud console users who create resources that areprotected by CMEK keys. Users without this permission can create CMEK-protectedresources using the Google Cloud console, but they can select a CMEK key thatisn't allowed by therestrictCmekCryptoKeyProjects constraint. When a key thatdoes not meet this constraint is selected, resource creation eventually fails.

Note: Theorgpolicy.policies.check permission is not visible in theGoogle Cloud console but has been added to all predefined roles that includetheorgpolicy.policy.get permission. If your organization uses custom rolesand CMEK organization policies, use gcloud CLI to add theorgpolicy.policies.check permission to each role that can create resources.For more information, seeEditing an existing customrole.

Require CMEK protection

To require CMEK protection for your organization, configure theconstraints/gcp.restrictNonCmekServices organization policy.

As a list constraint, the accepted values for this constraint are Google Cloudservice names (for example,bigquery.googleapis.com). Use this constraint byproviding a list of Google Cloud service names and setting the constraint toDeny. This configuration blocks the creation of resources in theseservices if the resource is not protected by CMEK. Inother words, requests to create a resource in the service don't succeed withoutspecifying a Cloud KMS key. Additionally, this constraint blocksthe removal of CMEK protection from resources in these services. This constraintcan only be applied tosupported services.

Caution: The creation of some Google Cloud resource types can trigger thecreation of a resource type from a different service. Use caution whenconfiguring this constraint in an environment with services that don't supportCMEK. Requiring CMEK protection for a service that is CMEK-aware may prevent aCMEK-unaware service from creating resources and disrupt normal functioning.

Limit the use of Cloud KMS keys for CMEK

To limit which Cloud KMS keys are used for CMEK protection,configure theconstraints/gcp.restrictCmekCryptoKeyProjects constraint.

As a list constraint, the accepted values are resource hierarchy indicators (forexample,projects/PROJECT_ID,under:folders/FOLDER_ID, andunder:organizations/ORGANIZATION_ID). Use this constraint byconfiguring a list of resource hierarchy indicators and setting the constrainttoAllow. This configuration restricts supported services so that CMEK keyscan be chosen only from the listed projects, folders, and organizations.Requests to create CMEK-protected resources in configured services don't succeedwithout a Cloud KMSkey from one of the allowed resources. Where configured, this constraint appliesto allsupported services.

Note: This constraint by itself does not necessarily guarantee the use ofcustomer-managed encryption keys from allowed projects within the specifiedservices, because other methods of encryption might be available. To enforce theuse of customer-managed encryption keys from allowed projects, you must applyboth this constraint and theconstraints/gcp.restrictNonCmekServicesconstraint.

Supported services

Service	Constraint value when requiring CMEK
Agent Assist	dialogflow.googleapis.com
AlloyDB for PostgreSQL	alloydb.googleapis.com
Apigee	apigee.googleapis.com
Application Integration	integrations.googleapis.com
Artifact Registry	artifactregistry.googleapis.com
Backup for GKE	gkebackup.googleapis.com
BigQuery	bigquery.googleapis.com
Bigtable	bigtable.googleapis.com
Cloud Composer	composer.googleapis.com
Cloud Data Fusion	datafusion.googleapis.com
Cloud Logging	logging.googleapis.com
Cloud Run	run.googleapis.com
Cloud Run functions	cloudfunctions.googleapis.com
Cloud SQL	sqladmin.googleapis.com
Cloud Storage	storage.googleapis.com
Cloud Tasks	cloudtasks.googleapis.com
Cloud Workstations	workstations.googleapis.com
Colab Enterprise	aiplatform.googleapis.com
Compute Engine	compute.googleapis.com
Customer Experience Insights	contactcenterinsights.googleapis.com
Dataflow	dataflow.googleapis.com
Dataform	dataform.googleapis.com
Dataplex Universal Catalog	dataplex.googleapis.com
Dataproc	dataproc.googleapis.com
Dialogflow CX	dialogflow.googleapis.com
Document AI	documentai.googleapis.com
Eventarc Advanced (Preview)	eventarc.googleapis.com
Eventarc Standard	eventarc.googleapis.com
Filestore	file.googleapis.com
Firestore	firestore.googleapis.com
Gemini Enterprise Enterprise	discoveryengine.googleapis.com
Google Cloud NetApp Volumes	netapp.googleapis.com
Google Kubernetes Engine (Preview)	container.googleapis.com
Looker (Google Cloud core)	looker.googleapis.com
Memorystore for Redis	redis.googleapis.com
Memorystore for Redis Cluster	redis.googleapis.com
Memorystore for Valkey	memorystore.googleapis.com
Pub/Sub	pubsub.googleapis.com
Secret Manager	secretmanager.googleapis.com
Secure Source Manager	securesourcemanager.googleapis.com
Security Command Center	securitycenter.googleapis.com
Spanner	spanner.googleapis.com
Speech-to-Text	speech.googleapis.com
Vertex AI	aiplatform.googleapis.com
Vertex AI Search	discoveryengine.googleapis.com
Vertex AI Workbench instances	notebooks.googleapis.com

CMEK organization policies and Storage Transfer Service

Storage Transfer Service doesn't have a CMEK integration but can be used with CMEKorganization policies. If you use Storage Transfer Service and want to use CMEK tohelp protect the database credentials stored in Secret Manager, youmust add bothstoragetransfer.googleapis.com andsecretmanager.googleapis.com to theconstraints/gcp.restrictNonCmekServicesconstraint. For more information, see theStorage Transfer Service CMEKdocumentation.

Caution: If you addstoragetransfer.googleapis.com to this constraint but notsecretmanager.googleapis.com, then the organization policy won't function asintended.

Enforcement exceptions by resource type

CMEK organization policy constraints are enforced when creating a new resourceor when changing (where supported) the Cloud KMS key on an existingresource. Generally, they are enforced on all of a service's resource types thatsupport CMEK and based solely on the resource's configuration. Some notableexceptions are summarized here:

Resource type	Enforcement exception
bigquery.googleapis.com/Dataset	Partially enforced on dataset default Cloud KMS key (gcp.restrictCmekCryptoKeyProjects only)
bigquery.googleapis.com/Job	Query jobs only: enforced on Cloud KMS key provided with queryor default from billing project; see also separateconfiguration of projectdefault Cloud KMS key
bigquerydatatransfer.googleapis.com/TransferConfig	Transfer configs use the service name of the Data Transfer Service(bigquerydatatransfer.googleapis.com) for CMEK organization policy constraints.
container.googleapis.com/Cluster	(Preview) Enforced on the Cloud KMS key for node bootdisk only; not enforced on secrets at the application layer
logging.googleapis.com/LogBucket	Enforced on explicitly created log buckets; see also separateconfigurationrequired to ensure compliance of built-in log buckets
storage.googleapis.com/Bucket	Enforced on bucket default Cloud KMS key
storage.googleapis.com/Object	Enforced independently of bucket; see also separateconfiguration of bucket default Cloud KMS key

Configuration examples

In the configuration examples, assume the sample organization has the followingresource hierarchy:

Note: CMEK organization policies only apply to newly created resources withinsupported services.

Require CMEK and limit keys for a project

Suppose you want to require CMEK protection for all Cloud Storage resourcesunderprojects/5 and ensure that only keys coming fromprojects/4 can beused.

To require CMEK protection for all new Cloud Storage resources, use thefollowing organization policy setting:

• Organization policy:constraints/gcp.restrictNonCmekServices
• Binding at:projects/5
• Policy type:Deny
• Policy value:storage.googleapis.com

To ensure only keys fromprojects/4 are used, use the following configuration:

• Organization policy:constraints/gcp.restrictCmekCryptoKeyProjects
• Binding at:projects/5
• Policy type:Allow
• Policy value:projects/4

Require CMEK and limit keys to within a folder

Alternatively, suppose you're expecting to add additional Cloud KMSprojects underfolders/2 in the future and want to require CMEK more broadlywithinfolders/3. For this scenario, you need slightly differentconfigurations.

To require additional CMEK protection for new Cloud SQL and Cloud Storageresources anywhere underfolders/3:

• Organization policy:constraints/gcp.restrictNonCmekServices
• Binding at:folders/3
• Policy type:Deny
• Policy values:sqladmin.googleapis.com,storage.googleapis.com

To ensure only keys from Cloud KMS projects underfolders/2 areused:

• Organization policy:constraints/gcp.restrictCmekCryptoKeyProjects
• Binding at:folders/3
• Policy type:Allow
• Policy value:under:folders/2

Require CMEK for an organization

To require CMEK everywhere in the organization (in supported services),configure theconstraints/gcp.restrictNonCmekServices constraint with thefollowing setting:

• Organization policy:constraints/gcp.restrictNonCmekServices
• Binding at:organizations/1
• Policy type:Deny
• Policy values: (allsupported services)

Limitations

If you use Google Cloud console to create a resource, you might notice thatyou can't use any encryption options other than CMEK whenconstraints/gcp.restrictNonCmekServices is configured for a project andservice. The CMEK organization policy restriction is only visible when thecustomer account has been granted theorgpolicy.policy.get IAMpermission on the project.

What's next

SeeIntroduction to the Organization PolicyServiceto learn more about the benefits and common use cases for organization policies.

For more examples on creating an organization policy with particularconstraints, seeUsingconstraints.