If you're using Secret Manager to store and pass your Amazon S3 or
Microsoft Azure credentials, you can additionally use a
customer-managed encryption key (CMEK) to encrypt those credentials at
rest.
To enforce the use of CMEK through an organizational policy,
add Storage Transfer Service and Secret Manager to the
constraints/gcp.restrictNonCmekServices deny list. Specifically, add:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-02-14 UTC."],[],[]]