Granting cloudtrail permission to encrypt without having to name the accounts individually

I would like to allow accounts within my Organization to be able to use my key encrypt without naming the accounts individually.Can i use my organization Id as it is in this policy below because i am under the impression that some aws services does not support using organization id or principal global key context.

“Sid”:“Allow Cloudtrail to encrypt logs”,
“Effect”: “Allow”,
“Action”: “kms:GenerateDataKey*”,
“Resource”: “",
“Condition”: {
“StringLike”: {

Hi thank you for your post! This is not a GitHub related post so you may find more help in more general forums like Stackoverflow.