IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles


No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.

Remediation Steps

Google Cloud Console

  • Navigate to IAM.

  • Remove any member that has Cloud KMS Admin, Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, or Cloud KMS CryptoKey Decrypter access by selecting the Delete Bin icon.

gcloud CLI

  • There are not steps to remove users via the CLI.