If you're using Secret Manager to store and pass your Amazon S3 or Microsoft Azure credentials, you can additionally use a customer-managed encryption key (CMEK) to encrypt those credentials at rest.
See Enable Customer-Managed Encryption Keys for Secret Manager for instructions.
Enforce CMEK with organization policy
To enforce the use of CMEK through an organizational policy,
add Storage Transfer Service and Secret Manager to the
constraints/gcp.restrictNonCmekServices
deny list. Specifically, add:
secretmanager.googleapis.com
storagetransfer.googleapis.com
See Creating and managing organization policies for instructions.
Storage Transfer Service checks for and enforces this restriction at job creation and update. Existing transfer jobs are not affected.