Description:
It is recommended that the IAM policy on Cloud KMS 'cryptokeys' should restrict anonymous and/or public access.
Rationale:
Granting permissions to 'allUsers' or 'allAuthenticatedUsers' allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS 'cryptokey' is not allowed.
Removing the binding for 'allUsers' and 'allAuthenticatedUsers' members denies accessing 'cryptokeys' to anonymous or public users.
From Google Cloud CLI
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'