CMEK organization policies

Stay organized with collections Save and categorize content based on your preferences.

Google Cloud offers two organization policy constraints to help ensure CMEK usage across an organization:

  • constraints/gcp.restrictNonCmekServices is used to require CMEK protection.
  • constraints/gcp.restrictCmekCryptoKeyProjects is used to limit which Cloud KMS keys are used for CMEK protection.

CMEK organization policies only apply to newly created resources within supported Google Cloud services.

Require CMEK protection

To require CMEK protection for your organization, configure the constraints/gcp.restrictNonCmekServices organization policy.

As a list constraint, the accepted values for this constraint are Google Cloud service names (for example, sqladmin.googleapis.com). By configuring a list of Google Cloud service names and setting the constraint to Deny, you can reject resource creation that does not use CMEK in the configured services. In other words, requests to create a resource in the service do not succeed without specifying a Cloud KMS key. This constraint can only be applied to Supported services.

Limit the use of Cloud KMS keys for CMEK

To limit which Cloud KMS keys are used for CMEK protection, configure the constraints/gcp.restrictCmekCryptoKeyProjects constraint.

As a list constraint, the accepted values are resource hierarchy indicators (for example, projects/PROJECT_ID, under:folders/FOLDER_ID, and under:organizations/ORGANIZATION_ID). By configuring a list of resource hierarchy indicators and setting the constraint to Allow, you can restrict supported services to only allow keys to be used from the listed projects, folders, and organizations for CMEK protection. Requests to create a CMEK protected resource in configured services do not succeed without specifying a Cloud KMS key from one of the allowed projects, folders, or organizations. Where configured, this constraint applies to all Supported services.

Supported services

Service Constraint value when requiring CMEK
Artifact Registry artifactregistry.googleapis.com
BigQuery bigquery.googleapis.com
Cloud Bigtable bigtable.googleapis.com
Cloud Composer composer.googleapis.com
Compute Engine compute.googleapis.com
Google Kubernetes EnginePREVIEW container.googleapis.com
Dataflow dataflow.googleapis.com
Document AI documentai.googleapis.com
Cloud Logging logging.googleapis.com
Pub/Sub pubsub.googleapis.com
Cloud Spanner spanner.googleapis.com
Cloud SQL sqladmin.googleapis.com
Cloud Storage storage.googleapis.com

Enforcement exceptions by resource type

CMEK organization policy constraints are enforced when creating a new resource or when changing (where supported) the Cloud KMS key on an existing resource. Generally, they are enforced on all of a service's resource types that support CMEK and based solely on the resource's configuration. Some notable exceptions are summarized here:

Resource type Enforcement exception
bigquery.googleapis.com/Dataset Partially enforced on dataset default Cloud KMS key (gcp.restrictCmekCryptoKeyProjects only)
bigquery.googleapis.com/Job Query jobs only: enforced on Cloud KMS key provided with query or default from billing project; see also separate configuration of project default Cloud KMS key
compute.googleapis.com/Instance Enforced based on configured boot disk
container.googleapis.com/Cluster (Preview) Enforced on the Cloud KMS key for node boot disk only; not enforced on secrets at the application layer
logging.googleapis.com/LogBucket Enforced on explicitly created log buckets; see also separate configuration required to ensure compliance of built-in log buckets
storage.googleapis.com/Bucket Enforced on bucket default Cloud KMS key
storage.googleapis.com/Object Enforced independently of bucket; see also separate configuration of bucket default Cloud KMS key

Configuration examples

In the configuration examples, assume the sample organization has the following resource hierarchy:

A diagram of an organization resource hierarchy

Require CMEK and limit keys for a project

Suppose you want to require CMEK protection for all Cloud Storage resources under projects/5 and ensure that only keys coming from projects/4 can be used.

To require CMEK protection for all new Cloud Storage resources, use the following organization policy setting:

  • Organization policy: constraints/gcp.restrictNonCmekServices
  • Binding at: projects/5
  • Policy type: Deny
  • Policy value: storage.googleapis.com

To ensure only keys from projects/4 are used, use the following configuration:

  • Organization policy: constraints/gcp.restrictCmekCryptoKeyProjects
  • Binding at: projects/5
  • Policy type: Allow
  • Policy value: projects/4

Require CMEK and limit keys to within a folder

Alternatively, suppose you're expecting to add additional Cloud KMS projects under folders/2 in the future and want to require CMEK more broadly within folders/3. For this scenario, you need slightly different configurations.

To require additional CMEK protection for new Cloud SQL and Cloud Storage resources anywhere under folders/3:

  • Organization policy: constraints/gcp.restrictNonCmekServices
  • Binding at: folders/3
  • Policy type: Deny
  • Policy values: sqladmin.googleapis.com, storage.googleapis.com

To ensure only keys from Cloud KMS projects under folders/2 are used:

  • Organization policy: constraints/gcp.restrictCmekCryptoKeyProjects
  • Binding at: folders/3
  • Policy type: Allow
  • Policy value: under:folders/2

Require CMEK for an organization

To require CMEK everywhere in the organization (in supported services), configure the constraints/gcp.restrictNonCmekServices constraint with the following setting:

  • Organization policy: constraints/gcp.restrictNonCmekServices
  • Binding at: organizations/1
  • Policy type: Deny
  • Policy values: (all supported services)

Limitations

If you use Google Cloud console to create a resource, you may notice that you can't use any encryption options other than CMEK when constraints/gcp.restrictNonCmekServices is configured for a project and service. The CMEK organization policy restriction is only visible when the customer account has been granted the orgpolicy.policy.get IAM permission on the project.

What's next?

See Introduction to the Organization Policy Service to learn more about the benefits and common use cases for organization policies.

For more examples on creating an organization policy with particular constraints, see Using constraints.