IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles¶
Description¶
No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.
Remediation Steps¶
Google Cloud Console¶
Navigate to IAM.
Remove any member that has
Cloud KMS Admin
,Cloud KMS CryptoKey Encrypter/Decrypter
,Cloud KMS CryptoKey Encrypter
, orCloud KMS CryptoKey Decrypter
access by selecting the Delete Bin icon.
gcloud CLI¶
There are not steps to remove users via the CLI.