To implement a Zero Trust architecture that evaluates device posture (OS version, encryption, etc.) for access to data in Cloud Storage, you must use Context-Aware Access (CAA). CAA relies on Access Context Manager to define "Access Levels" and VPC Service Controls (VPC-SC) to enforce those levels for managed services like Cloud Storage.

According to Google Cloud Documentation (Context-Aware Access with VPC Service Controls):

"VPC Service Controls can use Access Context Manager access levels to restrict access based on a variety of attributes, including user identity, device security status (device policy), and IP address.2 By applying an access level to a service perimeter, you can ensure that only requests meeting those specific contextual requirements can access the resources within that perimeter."

Implementation Steps:

Access Context Manager: Create an access level that checks for device management status, minimum OS version, and other posture requirements (verified by the Chrome Enterprise/Endpoint Verification agent).

VPC Service Controls: Create a service perimeter around the project containing the Cloud Storage buckets.

Policy Binding: Associate the Access Level with the VPC-SC perimeter. Any request that doesn't meet the device policy (e.g., outdated OS) will be blocked at the API layer, even if the user has the correct IAM roles.