IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles¶
No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.
Google Cloud Console¶
Navigate to IAM.
Remove any member that has
Cloud KMS Admin,
Cloud KMS CryptoKey Encrypter/Decrypter,
Cloud KMS CryptoKey Encrypter, or
Cloud KMS CryptoKey Decrypteraccess by selecting the Delete Bin icon.
There are not steps to remove users via the CLI.