Apply a CMEK organization policy

Google Cloud offers two organization policy constraints to enforce CMEK usage across an organization:

  • constraints/gcp.restrictNonCmekServices is used to require CMEK protection.

  • constraints/gcp.restrictCmekCryptoKeyProjects is used to limit which CMEK keys are used for protection.

CMEK organization policies only apply to newly created resources within supported Google Cloud services.

For more information about how this works, see Google Cloud resource hierarchy and CMEK organization policies.

Control CMEK use with an organization policy

NetApp Volumes integrates with CMEK organization policy constraints to let you specify encryption compliance requirements for NetApp Volumes resources in your organization.

This integration lets you do the following:

Require CMEKs for all NetApp Volumes resources

A common policy is to require CMEKs to be used to protect all resources in an organization. You can use the constraints/gcp.restrictNonCmekServices constraint to enforce this policy in NetApp Volumes.

If set, this organization policy causes all resource creation requests without a specified Cloud KMS key to fail.

After you set this policy, it applies only to new resources in the project. Any existing resources without Cloud KMS keys set continue to exist and are accessible without issue.

Use the following instructions to enforce CMEK use for NetApp Volumes resources using the Google Cloud console or Google Cloud CLI.

Console

  1. Open the Organization policies page.

    Go to Organization policies

  2. In the Filter field, enter constraints/gcp.restrictNonCmekServices, and then click Restrict which services may create resources without CMEK.

  3. Click Manage Policy.

  4. On the Edit policy page, select Override parent's policy.

  5. Select Add a rule.

  6. Under Policy values, select Custom.

  7. Under Policy type, select Deny.

  8. In the Custom values field, enter is:netapp.googleapis.com.

  9. Click Done, and then click Set policy.

gcloud

  1. Create a temporary file /tmp/policy.yaml to store the policy:

      name: projects/PROJECT_ID/policies/gcp.restrictNonCmekServices
      spec:
        rules:
        - values:
            deniedValues:
            - is:netapp.googleapis.com
    

    Replace PROJECT_ID with the project ID of the project you want to use.

  2. Run the org-policies set-policy command:

      gcloud org-policies set-policy /tmp/policy.yaml
    

To verify that the policy is successfully applied, you can try to create a storage pool in the project. The process fails unless you specify a Cloud KMS key.

Restrict Cloud KMS keys for NetApp Volumes project

You can use the constraints/gcp.restrictCmekCryptoKeyProjects constraint to restrict the Cloud KMS keys that you can use to protect a resource for NetApp Volumes project.

You might specify a rule, for example, "For all NetApp Volumes resources in projects/my-company-data-project, Cloud KMS keys used in this project must come from projects/my-company-central-keys OR projects/team-specific-keys."

Use the following instructions to enforce Cloud KMS keys for NetApp Volumes project using the Google Cloud console or Google Cloud CLI.

Console

  1. Open the Organization policies page.

    Go to Organization policies

  2. In the Filter field, enter constraints/gcp.restrictCmekCryptoKeyProjects, and then click Restrict which projects may supply KMS CryptoKeys for CMEK.

  3. Click Manage Policy.

  4. On the Edit policy page, select Override parent's policy.

  5. Select Add a rule.

  6. Under Policy values, select Custom.

  7. Under Policy type, select Allow.

  8. In the Custom values field, enter the following:

    under:projects/KMS_PROJECT_ID
    

    Replace KMS_PROJECT_ID with the project ID where the Cloud KMS keys you want to use are located.

    For example, under:projects/my-kms-project.

  9. Click Done, and then click Set policy.

gcloud

  1. Create a temporary file /tmp/policy.yaml to store the policy:

      name: projects/PROJECT_ID/policies/gcp.restrictCmekCryptoKeyProjects
      spec:
        rules:
        - values:
            allowedValues:
            - under:projects/KMS_PROJECT_ID
    

    Where:

    • PROJECT_ID is the project ID of the project you want to use.
    • KMS_PROJECT_ID is the project ID where the Cloud KMS keys you want to use are located.
  2. Run the org-policies set-policy command:

      gcloud org-policies set-policy /tmp/policy.yaml
    

To verify that the policy is successfully applied, you can try to create a storage pool using a Cloud KMS key from a different project. The process will fail.

Limitations

The following limitations apply when setting an organization policy.

Existing resources

Existing resources are not subject to newly created organization policies. For example, if you create an organization policy that requires you to specify a CMEK for every create operation, the policy doesn't retroactively apply to existing instances and backup chains. Those resources are still accessible without a CMEK. If you want to apply the policy to existing resources such as storage pools, you must replace them.

Required permissions to set an organization policy

You need the Organization Policy Administrator role granted at the organization level in order to set or update the organization policy for testing purposes.

You can still specify a policy that only applies to a specific project or folder.

Impact of Cloud KMS key rotation

NetApp Volumes doesn't automatically rotate a resource's encryption key when the Cloud KMS key associated with that resource is rotated.

  • All data in existing storage pools continues to be protected by the key version with which they were created.

  • Any newly-created storage pools use the primary key version specified at the time of their creation.

When you rotate a key, data that was encrypted with previous key versions isn't automatically re-encrypted. To encrypt your data with the latest key version, you must decrypt the old key version from the resource, and then re-encrypt the same resource with the new key version. In addition, rotating a key doesn't automatically disable or destroy any existing key versions.

For detailed instructions on how to perform each of these tasks, see the following guides:

NetApp Volumes access to the Cloud KMS key

A Cloud KMS key is considered available and accessible by NetApp Volumes under the following conditions:

  • The key is enabled
  • The NetApp Volumes service account has encrypt and decrypt permissions on the key

What's next