IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles

Description

No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.

Remediation Steps

Google Cloud Console

• Navigate to IAM.

• Remove any member that has Cloud KMS Admin, Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, or Cloud KMS CryptoKey Decrypter access by selecting the Delete Bin icon.

gcloud CLI

• There are not steps to remove users via the CLI.

Documentation Links

Runtime

• Using IAM securely

• Separation of duties