Requirement:

Enforce the use of Customer-Managed Encryption Keys (CMEK) for all new Cloud Storage resources in the organization.

Policy Constraint:

Use the constraints/gcp.restrictNonCmekServices constraint to enforce CMEK usage.

Policy Type and Value:

Set the policy type to allow to specify which services must use CMEK.

In this case, the policy value should be storage.googleapis.com to target Cloud Storage.

Command:

Applying the organization policy with the appropriate binding ensures that all new Cloud Storage resources under the organization will require CMEK.

Steps:

Step 1: Go to the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Apply the policy constraint constraints/gcp.restrictNonCmekServices with the allow policy type and storage.googleapis.com as the policy value.