Stay organized with collections
Save and categorize content based on your preferences.
If you're using Secret Manager to store and pass your Amazon S3 or
Microsoft Azure credentials, you can additionally use a
customer-managed encryption key (CMEK) to encrypt those credentials at
rest.
To enforce the use of CMEK through an organizational policy,
add Storage Transfer Service and Secret Manager to the
constraints/gcp.restrictNonCmekServices deny list. Specifically, add:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Customer-managed encryption keys\n\nIf you're using Secret Manager to store and pass your Amazon S3 or\nMicrosoft Azure credentials, you can additionally use a\n[customer-managed encryption key](/kms/docs/cmek) (CMEK) to encrypt those credentials at\nrest.\n\nSee [Enable Customer-Managed Encryption Keys for Secret Manager](/secret-manager/docs/cmek)\nfor instructions.\n\nEnforce CMEK with organization policy\n-------------------------------------\n\nTo enforce the use of CMEK through an [organizational policy](/resource-manager/docs/organization-policy/overview),\nadd Storage Transfer Service and Secret Manager to the\n`constraints/gcp.restrictNonCmekServices` deny list. Specifically, add:\n\n- `secretmanager.googleapis.com`\n- `storagetransfer.googleapis.com`\n\nSee [Creating and managing organization policies](/resource-manager/docs/organization-policy/creating-managing-policies) for\ninstructions.\n\nStorage Transfer Service checks for and enforces this restriction at job creation and\nupdate. Existing transfer jobs are not affected."]]
