Enforce or restrict the encryption types for a bucket

This document describes how to configure which encryption methods are allowed or restricted for new objects in a Cloud Storage bucket. You can configure a bucket to enforce or restrict the use of standard encryption (Google default encryption), customer-managed encryption keys (CMEK), or customer-supplied encryption keys (CSEK) for any new objects that are created within the bucket.

For example, to help meet your compliance requirements about encryption key management, you can require that all new objects are encrypted with either standard encryption or CMEK, and restrict the use of customer-supplied encryption keys.

For more information about the encryption methods that are available, see Data encryption options .

Cloud Storage enforces the encryption configuration for all actions that create a new object, such as uploading an object, copying an object, composing objects, and restoring a soft-deleted object.

Before you begin

To get the permissions that you need to configure encryption enforcement for a bucket, ask your administrator to grant you the Storage Admin ( roles/storage.admin ) IAM role on bucket. For more information about granting roles, see Manage access to projects, folders, and organizations .

This predefined role contains the permissions required to configure encryption enforcement for a bucket. To see the exact permissions that are required, expand the Required permissionssection:

Required permissions

The following permissions are required to configure encryption enforcement for a bucket:

Set the configuration when creating a new bucket: storage.buckets.create
Update the configuration for an existing bucket: storage.buckets.update
If you use the Google Cloud console to perform the steps on this page:
- storage.buckets.get
- storage.buckets.list

You might also be able to get these permissions with custom roles or other predefined roles .

Create a bucket that enforces encryption types

You can specify the encryption methods that are allowed or restricted for the objects in a bucket when you create a new bucket .

If you set a default Cloud KMS key for the bucket, then you must also allow encryption using CMEKs or customer-supplied encryption keys.

Console

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Buckets
Click Create .
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
1. In the Get started section, do the following:
  - Enter a globally unique name that meets the bucket name requirements .
  - To add a bucket label , click the expander arrow to expand the Labels section, click Add label , and specify a key and a value for your label.
2. In the Choose where to store your data section, do the following:
  1. Select a Location type .
  2. Use the location type's drop-down menu to select a Location where object data within your bucket will be permanently stored.
    - If you select the dual-region location type, you can also choose to enable turbo replication by using the relevant checkbox.
  3. To set up cross-bucket replication , select Add cross-bucket replication via Storage Transfer Service and follow the steps:
    Set up cross-bucket replication
    
    In the Bucket menu, select a bucket.
    
    In the Replication settings section, click Configure to configure settings for the replication job.
    
    The Configure cross-bucket replication pane appears.
    
    To filter objects to replicate by object name prefix, enter a prefix with which you want to include or exclude objects, then click Add a prefix .
    
    To set a storage class for the replicated objects, select a storage class from the Storage class menu. If you skip this step, the replicated objects will use the destination bucket's storage class by default.
    
    Click Done .
3. In the Choose how to store your data section, do the following:
  1. Select a default storage class for the bucket or Autoclass for automatic storage class management of your bucket's data.
  2. In the Optimize storage for data-intensive workloads section, do the following:
    - To enable hierarchical namespace , select Enable Hierarchical namespace on this bucket .
      
      Note: Hierarchical namespace can only be enabled when you create the bucket. You can't change this setting after you create the bucket.
    - To enable Rapid Cache , select Enable Rapid Cache and follow the steps:
      1. To create caches, click Configure .
      2. In the Configure cache settings dialog that appears, click the drop-down arrow next to the listed regions and select the zones where you want to create caches.
      3. Click Done .
4. In the Choose how to control access to objects section, select whether or not your bucket enforces public access prevention , and select uniform bucket-level access for your bucket's objects.
  
  Note: If public access prevention is already enforced by your project's organization policy , the Prevent public access checkbox is locked.
5. In the Choose how to protect object data section, do the following:
  - Select any of the options under Data protection that you want to set for your bucket.
  - To change the amount of time that soft delete retains objects after deletion, select the Soft delete policy checkbox, and then select the Set custom retention duration option. Then, specify how long you want to retain deleted objects.
    
    To disable soft delete, for example if the bucket will primarily contain short-lived, temporary data, clear the Soft delete policy checkbox.
  - To choose how to encrypt your object data, click the expander arrow labeled Data encryption , and do the following:
    - In the Default encryption key type section, select the default encryption key for the bucket. If you select Cloud KMS key , then provide a Cloud Key Management Service key .
    - In the Encryption enforcement rules section, for Key types , select which encryption types to allow or restrict for new objects in the bucket.
Click Create .

gcloud

Create a JSON file that contains the following information:
```
 { 
  
 "gmekEnforcement" 
 : 
  
 { 
 "restrictionMode" 
 : 
  
 " STANDARD_ENCRYPTION_RESTRICTION_MODE 
" 
 }, 
  
 "cmekEnforcement" 
 : 
  
 { 
 "restrictionMode" 
 : 
  
 " CMEK_RESTRICTION_MODE 
" 
 }, 
  
 "csekEnforcement" 
 : 
  
 { 
 "restrictionMode" 
 : 
  
 " CSEK_RESTRICTION_MODE 
" 
 } 
 } 
```
Replace the following:
- STANDARD_ENCRYPTION_RESTRICTION_MODE : Whether encryption using standard encryption (Google default encryption) is allowed when creating objects in this bucket. The following values are supported:
  - NotRestricted : new objects can use standard encryption.
  - FullyRestricted : new objects can't use standard encryption.
- CMEK_RESTRICTION_MODE : Whether encryption using CMEKs is allowed when creating objects in this bucket. The following values are supported:
  - NotRestricted : new objects can use CMEKs.
  - FullyRestricted : new objects can't use CMEKs.
- CSEK_RESTRICTION_MODE : Whether encryption using customer-supplied encryption keys is allowed when creating objects in this bucket. The following values are supported:
  - NotRestricted : new objects can use customer-supplied encryption keys.
  - FullyRestricted : new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit the enforcement configuration for a specific encryption type, then that encryption type is allowed by default.
Use the gcloud storage buckets create command with the --encryption-enforcement-file flag:
```
gcloud  
storage  
buckets  
create  
gs:// BUCKET_NAME 
  
 \ 
  
--encryption-enforcement-file = 
 ENCRYPTION_ENFORCEMENT_FILE 
```
Replace the following:
- BUCKET_NAME : the name of the bucket.
- ENCRYPTION_ENFORCEMENT_FILE : the path to the JSON file that you created in the previous step.