GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
PubSub Lite Delivery Requirement Should Be Set
More Info:
Ensure subscription delivery requirement is set
Risk Level
Low
Address
Operational Maturity, Reliability
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the PubSub Lite Delivery Requirement misconfiguration in GCP, you can follow these steps:
- Log in to the GCP console and navigate to the Pub/Sub Lite section.
- Select the topic for which you want to set the delivery requirement.
- Click on the “Delivery Requirement” tab.
- In the “Delivery Requirement” section, select the desired delivery requirement from the dropdown menu.
- Click “Save” to apply the changes.
Note: The available delivery requirements are “At least once” and “Exactly once”. Selecting “At least once” means that messages will be delivered at least once, but may be duplicated. Selecting “Exactly once” means that messages will be delivered exactly once, but may require additional configuration and may result in higher latency.
The PubSub Lite Delivery Requirement should be set to ensure that messages are delivered to at least two independent zones within a region. Here are the steps to remediate this misconfiguration for GCP using GCP CLI:
-
Open the Google Cloud Console and navigate to the Pub/Sub Lite topic that needs to be remediated.
-
Click on the “Edit” button to edit the topic configuration.
-
In the “Delivery” section, select “At least two zones” from the drop-down menu.
-
Click on the “Save” button to save the changes.
Alternatively, you can use the following GCP CLI command to set the delivery requirement for a Pub/Sub Lite topic:
gcloud pubsub lite-topics update [TOPIC_NAME] --delivery-requirement=2
Replace [TOPIC_NAME] with the name of the Pub/Sub Lite topic that needs to be remediated. This command sets the delivery requirement to at least two zones within the region.
The Pub/Sub Lite delivery requirement should be set to ensure that messages are delivered at least once. To remediate this issue in GCP using Python, follow these steps:
- Install the Google Cloud Pub/Sub Lite client library for Python by running the following command in your terminal or command prompt:
pip install google-cloud-pubsublite
- Import the necessary libraries and create a client object for Pub/Sub Lite:
from google.cloud.pubsublite import AdminClient, SubscriptionPath, Subscription
from google.cloud.pubsublite.types import SubscriptionDeliveryConfig, DeliveryRequirement
# Replace <project-id> and <region> with your project ID and region, respectively.
project_id = "<project-id>"
region = "<region>"
client = AdminClient()
subscription_path = SubscriptionPath(project_id, region, "<subscription-name>")
- Get the current subscription configuration:
subscription = client.get_subscription(subscription_path)
- Set the delivery requirement to
DeliveryRequirement.DELIVER_AFTER_STORED:
delivery_config = SubscriptionDeliveryConfig(
delivery_requirement=DeliveryRequirement.DELIVER_AFTER_STORED
)
subscription.delivery_config = delivery_config
- Update the subscription with the new configuration:
client.update_subscription(subscription)
After completing these steps, your Pub/Sub Lite subscription will have the correct delivery requirement set.