Customer-managed encryption keys

If you're using Secret Manager to store and pass your Amazon S3 or Microsoft Azure credentials, you can additionally use a customer-managed encryption key (CMEK) to encrypt those credentials at rest.

See Enable Customer-Managed Encryption Keys for Secret Manager for instructions.

Enforce CMEK with organization policy

To enforce the use of CMEK through an organizational policy, add Storage Transfer Service and Secret Manager to the constraints/gcp.restrictNonCmekServices deny list. Specifically, add:


See Creating and managing organization policies for instructions.

Storage Transfer Service checks for and enforces this restriction at job creation and update. Existing transfer jobs are not affected.