Granting cloudtrail permission to encrypt without having to name the accounts individually

I would like to allow accounts within my Organization to be able to use my key encrypt without naming the accounts individually.Can i use my organization Id as it is in this policy below because i am under the impression that some aws services does not support using organization id or principal global key context.

{
“Sid”:“Allow Cloudtrail to encrypt logs”,
“Effect”: “Allow”,
“Principal”:{
“Service”:“cloudtrail.amazonaws.com
},
“Action”: “kms:GenerateDataKey*”,
“Resource”: “",
“Condition”: {
“StringLike”: {
“kms:EncryptionContext:aws:cloudtrail:arn”:[
"arn:aws:cloudtrail:
:${var.organization_id}:trail/*”
]
}
}
}